Using the new DPI SSL/TSL, Linkedin does not open with Firefox on Mac

If you open your Certificate, does the Certificate meet all requirements?

https://support.apple.com/en-us/HT210176

Just to be sure, its not an issue with your setup / certificate.

Because actually we have running couple of deployments with customers already productive and its generally working. So i guess, there must be something broken with your setup.

Hi Luk,

please humour me. Please try removing all your certificates, enable DPI and try your tests again.

I have devices without CAs that are connecting using DPI and being decrypt and scanned according to the logs. Maybe my configuration is broken and I am mis-interpreting the log reports.

Ian

That should not be possible to decrypt traffic without CA imported because basically the Client will deny the connection. But XG is able to block certain connections completely, if not meet the requirements (like TLS1.2 min).

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/116945/ssl-tls-inspection-rules-decryption-profile-required-when-action-is-do-not-decrypt

Hi Toni,

in theory you are correct, but the current DPI does not seem to follow the rules.

Please tell me what I am doing wrong with my DPI configuration.

In the screenshot below ignore the middle line.

I removed all the CAs from FF and shutdown the MBP while shopping for an hour or so, restarted the MBP and used FF to connect to Luk's failing website - www.amazon.it.

Ian

I guess there is an error in my statement.

If you configure a Decrypt rule, DPI will decrypt, no matter what. If you are not import any CA, the Client will fail. 

Your Rule 3 seems to give the DPI engine the order to decrypt this traffic (Source, Destination hit?). 

If you have a Rule with "Do not decrypt" but block certain cipher, DPI will not decrypt but block. 

Hi Toni,

an interesting comment. Only one device is passed by the SSL/TLS rule all the rest cheerfully ignore the rule and connect without errors or at least errors that show in logviewer.

I have functionality for the applications.

Luk's failing site continues to work through firefox without a CA.

Ian

Thanks Ian for your tests. Without some developers looking at the issue, our hands are tied...

What exa t error did FF throw? I personally got for various sites a rx reissued serial or similar error. Resetting (cleanung up) FF did resolve the issue. Seems that FF stores some cert serials, and blocks sites if a already issued serial get reused.

Maybe it helps (instead a TLS exclusion) to MITM Linkedin. In my Case Linkedin works fine intercepted.

SaschaParis, 

thanks for your input. I already cleared the cache and I obtained very little improvements, but...amazon.it works but changing from 120 to 480 GB does not work at on this link.

https://www.amazon.it/Kingston-SSD-A400-120GB-Solido/dp/B01N6JQS8C/ref=sr_1_2?__mk_it_IT=%C3%85M%C3%85%C5%BD%C3%95%C3%91&keywords=ssd+80gb&qid=1577431041&sr=8-2

Clearing cache doesn't help, as FF stores cert serials.

try  this