Webfilter HTTPS decryption breaks ChatGPT: HTTP parsing error encountered

Question

We're discovering a strange issue with HTTPS decryption and ChatGPT in all browsers we use. 
 ChatGPT is unusable when we're logged in with the ChatGPT-licensed Microsoft Account. Any chat request generates this or similar errors: 
 
 On the of SFOS 20.0.1 Firewall: 
 Those requests generate the following errors in Webfilter

reason="HTTP parsing error encountered." 
 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36" 
 status_code="403"

When adding a web exception, it works fine

^([A-Za-z0-9.-]*\.)?chatgpt\.com\/

HTTPS decryption 
 HTTPS certificate validation

The strange thing is, when the users use ChatGPT without being logged in or use the Microsoft Co-Pilot in edge, it works. 
 But without the exception, the "HTTP parsing error encountered" is occurring in the webfilter log when they are logged in using their paid Microsoft/ChatGPT account. 
 Any idea how this problem can be avoided without having the exception?

Michael Dunn · Accepted Answer

If you go go chatgtp.com and hit F12 you can watch the request and responses. Ask it to do something and then look at the size of the request headers. You will find they are quite large. For starters in my test the header line openai-sentinel-chat-requirements-token is 11k in size. In 20.0 in DPI mode the maximum size of all headers together is 16k. In 21.0 in DPI mode the maximum size of all headers together is 32k. In 20.0 MR2 in proxy mode the maximum size of a single header line is 8k. There is no max of all headers. In 20.1 (and 20.0 MR3) in proxy mode the maximum size of a single header line is 16k. There is no max of all headers. What does this mean? Anyone running 20.0 MR2 and decrypting chatgpt.com will have problems, in both DPI and proxy. Anyone running 21.0 and decrypting chatgpt.com will work, in both DPI and proxy. If you wait for 20.0 MR3, proxy will work however DPI will still not. TL;DR - upgrade to 21.0 GA for the fix. Or if you want to stay on 20.0 then you need to exclude chatgpt.com from https decryption.

LHerzog · Answer

the only solution here is to exclude the traffic the L2 support says. 
 reference from is this KB: support.sophos.com/.../KBA-000007381

JamesFrost · Answer

Thought I'd chime in as well, same report from our users. Issue appeared over the last few weeks. Added chatgpt.com to the Local TLS exclusion list to fix

Webfilter HTTPS decryption breaks ChatGPT: HTTP parsing error encountered

Top Replies