Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 43 subscribers
  • Views 2020 views
  • Users 0 members are here
Options
Suggested

Webfilter HTTPS decryption breaks ChatGPT: HTTP parsing error encountered

LHerzog

We're discovering a strange issue with HTTPS decryption and ChatGPT in all browsers we use.

ChatGPT is unusable when we're logged in with the ChatGPT-licensed Microsoft Account. Any chat request generates this or similar errors:

On the of SFOS 20.0.1 Firewall:

Those requests generate the following errors in Webfilter

  • reason="HTTP parsing error encountered."
  • user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
  • status_code="403"

When adding a web exception, it works fine

^([A-Za-z0-9.-]*\.)?chatgpt\.com\/
HTTPS decryption
HTTPS certificate validation

The strange thing is, when the users use ChatGPT without being logged in or use the Microsoft Co-Pilot in edge, it works.

But without the exception, the "HTTP parsing error encountered" is occurring in the webfilter log when they are logged in using their paid Microsoft/ChatGPT account.

Any idea how this problem can be avoided without having the exception?



edited text for logged in users
[bearbeitet von: LHerzog um 1:59 PM (GMT -8) am 6 Nov 2024]
Parents
  • +1

    If you go go chatgtp.com and hit F12 you can watch the request and responses.  Ask it to do something and then look at the size of the request headers.  You will find they are quite large.  For starters in my test the header line openai-sentinel-chat-requirements-token is 11k in size.

    In 20.0 in DPI mode the maximum size of all headers together is 16k.
    In 21.0 in DPI mode the maximum size of all headers together is 32k.

    In 20.0 MR2 in proxy mode the maximum size of a single header line is 8k.  There is no max of all headers.
    In 20.1 (and 20.0 MR3) in proxy mode the maximum size of a single header line is 16k.  There is no max of all headers.

    What does this mean?
    Anyone running 20.0 MR2 and decrypting chatgpt.com will have problems, in both DPI and proxy.
    Anyone running 21.0 and decrypting chatgpt.com will work, in both DPI and proxy.

    If you wait for 20.0 MR3, proxy will work however DPI will still not.

    TL;DR - upgrade to 21.0 GA for the fix.  Or if you want to stay on 20.0 then you need to exclude chatgpt.com from https decryption.

Reply
  • +1

    If you go go chatgtp.com and hit F12 you can watch the request and responses.  Ask it to do something and then look at the size of the request headers.  You will find they are quite large.  For starters in my test the header line openai-sentinel-chat-requirements-token is 11k in size.

    In 20.0 in DPI mode the maximum size of all headers together is 16k.
    In 21.0 in DPI mode the maximum size of all headers together is 32k.

    In 20.0 MR2 in proxy mode the maximum size of a single header line is 8k.  There is no max of all headers.
    In 20.1 (and 20.0 MR3) in proxy mode the maximum size of a single header line is 16k.  There is no max of all headers.

    What does this mean?
    Anyone running 20.0 MR2 and decrypting chatgpt.com will have problems, in both DPI and proxy.
    Anyone running 21.0 and decrypting chatgpt.com will work, in both DPI and proxy.

    If you wait for 20.0 MR3, proxy will work however DPI will still not.

    TL;DR - upgrade to 21.0 GA for the fix.  Or if you want to stay on 20.0 then you need to exclude chatgpt.com from https decryption.

Children
Unfiltered HTML