how to handle DNS Protection with Sophos Firewall? SSL_ERROR_NO_CYPHER_OVERLAP

Question

I'm playing around with DNS Protection. 
 First test: use DNS protection behind XGS Firewall with traffic decryption. 
 I installed Sophos Internet Protection Root CA into Endpoint and Firewall. 
 Now I only get SSL errors when trying to load a URL that should be blocked 
 Error code: SSL_ERROR_NO_CYPHER_OVERLAP or ERR_SSL_VERSION_OR_CIPHER_MISMATCH 
 On the firewall I see only this in TLS inspection log: cert_chain_served="TRUE" cipher_suite="" sni="www.kochenmitpaul.de" tls_version="Unknown" reason="TLS handshake fatal alert: handshake failure(40)." exception="" message="" 
 kochenmitpaul.de is just a test-URL on my custom test block domain list. 
 How do I get the client see the block page by DNS protection when the Firewall in in the middle? 
 When I bypass the firewall, I can see the correct block page by DNS protection.

RichBaldry · Accepted Answer

Thanks. 
 I was able to reproduce the issue using the exact IP address shown in your log. It looks like there may be an issue with this particular instance of our blockpage service, which is not able to create/retrieve a certificate. The TLS handshake failure message code 40 is sent by the blockpage server to indicate it can't provide a certificate for the requested hostname. 
 The issue is not related to SFOS or TLS decryption at all. 
 I have asked our Ops team to investigate.

how to handle DNS Protection with Sophos Firewall? SSL_ERROR_NO_CYPHER_OVERLAP

Top Replies