This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

quarantined email release fails

Releasing has recently gone wrong on my macos Sierra machine.

Tried it with Safari, Firefox and Chrome but all fail:

Safari:
Safari Can't Open the Page "https://<fqdn>:3840/release.plc?proto=smtp&mp;cluster_id=0&amp;message_id=1c2X06-0006pM-MV&amp;size=3469&amp;whitelist;0" because Safari can't establish a secure connection to the server "<fqdn>".

Firefox:
Secure Connection Failed
An error occurred during a connection to vgk.rcan.nl:3840. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

 

Chrome:
This site can’t provide a secure connection
<fqdn> sent an invalid response
Try running Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

 

Update:

Now, a day later I found out that Safari is redirecting the http://<fqdn>:3840 to a https request. Odd. anyone experiencing similar issue?

 

Adrie



This thread was automatically locked due to age.
Parents
  • The problem is caused by HSTS.

    We have one website with HSTS enabled with "includeSubdomains", https://www.mycompany.com 

    Our quarantine release link is: http://qr.mycompany.com

    When we visit www.mycompany.com, the following HSTS flags get set for the entire *.mycompany.com domain and subdomains: 

    --

    Found:
    static_sts_domain: 
    static_upgrade_mode: UNKNOWN
    static_sts_include_subdomains: 
    static_sts_observed: 
    static_pkp_domain: 
    static_pkp_include_subdomains: 
    static_pkp_observed: 
    static_spki_hashes: 
    dynamic_sts_domain: mycompany.com
    dynamic_upgrade_mode: FORCE_HTTPS
    dynamic_sts_include_subdomains: true
    dynamic_sts_observed: 1529594677.251927
    dynamic_sts_expiry: 1561130677.251925
    dynamic_pkp_domain: 
    dynamic_pkp_include_subdomains: 
    dynamic_pkp_observed: 
    dynamic_pkp_expiry: 
    dynamic_spki_hashes: 

    --

    This causes the UTM QR link to unusable and you receive the "ERR_SSL_PROTOCOL_ERROR" in your browser.

    To get around it in Chrome (Probably the same method in FF and other browsers), go to "chrome://net-internals/#hsts"

    In the query box, enter the full hostname of your quarantine release subdomain ( in my case qr.mycompany.com ) and hit query. You will see the FORCE_HTTPS lines underneath. 

    Then do the same thing for the full domain (mycompany.com), you will more than likely come out with the same results.

    At the bottom of the same page, under "Delete domain security policies", put both your domain and subdomain (qr.mycompany.com and mycompany.com) and hit DELETE.

    You will now be able to use the release link with no issues!

    The moment you visit your website that has that HSTS config again, it will break your email releases until you follow those above steps again to delete the HSTS policies for your domains.

     

    A permanent solution would be to allow the quarantine release to run on HTTPS. Another option is to change the URL from a FQDN to an IP address and if those aren't a great option, you could move the release URL to another domain (mycompany.net instead of mycompany.com) so that the HSTS settings have no impact.

     

    Hope it helps.

Reply
  • The problem is caused by HSTS.

    We have one website with HSTS enabled with "includeSubdomains", https://www.mycompany.com 

    Our quarantine release link is: http://qr.mycompany.com

    When we visit www.mycompany.com, the following HSTS flags get set for the entire *.mycompany.com domain and subdomains: 

    --

    Found:
    static_sts_domain: 
    static_upgrade_mode: UNKNOWN
    static_sts_include_subdomains: 
    static_sts_observed: 
    static_pkp_domain: 
    static_pkp_include_subdomains: 
    static_pkp_observed: 
    static_spki_hashes: 
    dynamic_sts_domain: mycompany.com
    dynamic_upgrade_mode: FORCE_HTTPS
    dynamic_sts_include_subdomains: true
    dynamic_sts_observed: 1529594677.251927
    dynamic_sts_expiry: 1561130677.251925
    dynamic_pkp_domain: 
    dynamic_pkp_include_subdomains: 
    dynamic_pkp_observed: 
    dynamic_pkp_expiry: 
    dynamic_spki_hashes: 

    --

    This causes the UTM QR link to unusable and you receive the "ERR_SSL_PROTOCOL_ERROR" in your browser.

    To get around it in Chrome (Probably the same method in FF and other browsers), go to "chrome://net-internals/#hsts"

    In the query box, enter the full hostname of your quarantine release subdomain ( in my case qr.mycompany.com ) and hit query. You will see the FORCE_HTTPS lines underneath. 

    Then do the same thing for the full domain (mycompany.com), you will more than likely come out with the same results.

    At the bottom of the same page, under "Delete domain security policies", put both your domain and subdomain (qr.mycompany.com and mycompany.com) and hit DELETE.

    You will now be able to use the release link with no issues!

    The moment you visit your website that has that HSTS config again, it will break your email releases until you follow those above steps again to delete the HSTS policies for your domains.

     

    A permanent solution would be to allow the quarantine release to run on HTTPS. Another option is to change the URL from a FQDN to an IP address and if those aren't a great option, you could move the release URL to another domain (mycompany.net instead of mycompany.com) so that the HSTS settings have no impact.

     

    Hope it helps.

Children
  • Hi Rudy,

    Excellent post. I have changed our URL for the mailrelease to a previously unused domain name and now it's accessible again!

    Now the better solution would be for Sophos to fix this so that this site also accepts https.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.