Using the new DPI SSL/TSL, Linkedin does not open with Firefox on Mac

Linkedin does not open at all.

Parents Reply Children
  • Most of the people, including myself are on holiday right now. 

    So i do have any way to contact anybody. 

     

    But lets wrap this up, I do not have any Mac right now to reproduce this. 

    Did you regenerate all your certificates and reimport them into Firefox? 

    It looks like your Firefox do not like the decryption at all. 

    Based on your tcpdump, the client is killing the connection quickly. 

     

     

    Could you please show us your DPI Profiles?

    Which certificate do you use to decrypted? 

    __________________________________________________________________________________________________________________

  • Sophos CA is imported. Take note I am using Decrypt and Scan since 2016 and no problem at all. I tried to reimport the CA in Firefox nothing changes. Safari works as expected on the same Mac.

    DPI profile is the default one. Same profile, same computer, different browsers different behaviours.

    If anyone is on holiday and no one is reachable after January, Merry Christmas to all Sophos Staff and Community members.

    [

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Regarding the Change of the SSL Requirements by Apple, maybe something broke there.

    Because the DPI Engine can actually use both CAs (default and SSL CA).

    Thats my first question, did you try both CAs to import and choose in DPI?

     

     

    This option may differ from the Proxy CA.

     

     

     

    If you recreate a new Profile with everything "enabled" (not blocked), anything different?

     

    I am not sure about the whole Apple requirement and the Firefox implementation into the certificate store (Most likely because i am too dumb to use a Mac...).

    Does firefox use an own Certificate store on Mac (like windows)?

    __________________________________________________________________________________________________________________

  • Hi Lucar,

    Thanks for your suggestions. I tried to create a separate decryption profile where the re-signing CA is Sophos CA as web proxy, but after few minutes, same behaviour on Firefox. Linkedin, ebay, amazon do not open at all.

    Yes, FF uses its own CA repo and I imported both default and Sophos CA but no way.

    It seems like the DPI works for a couple of minutes and then something crashes on the system.

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • If you open your Certificate, does the Certificate meet all requirements?

    https://support.apple.com/en-us/HT210176

    Just to be sure, its not an issue with your setup / certificate.

    Because actually we have running couple of deployments with customers already productive and its generally working. So i guess, there must be something broken with your setup.

    __________________________________________________________________________________________________________________

  • Hi Luk,

    please humour me. Please try removing all your certificates, enable DPI and try your tests again.

    I have devices without CAs that are connecting using DPI and being decrypt and scanned according to the logs. Maybe my configuration is broken and I am mis-interpreting the log reports.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • That should not be possible to decrypt traffic without CA imported because basically the Client will deny the connection. But XG is able to block certain connections completely, if not meet the requirements (like TLS1.2 min).

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/116945/ssl-tls-inspection-rules-decryption-profile-required-when-action-is-do-not-decrypt

    __________________________________________________________________________________________________________________

  • Hi Toni,

    in theory you are correct, but the current DPI does not seem to follow the rules.

    Please tell me what I am doing wrong with my DPI configuration.

    In the screenshot below ignore the middle line.

    I removed all the CAs from FF and shutdown the MBP while shopping for an hour or so, restarted the MBP and used FF to connect to Luk's failing website - www.amazon.it.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I guess there is an error in my statement.

    If you configure a Decrypt rule, DPI will decrypt, no matter what. If you are not import any CA, the Client will fail. 

    Your Rule 3 seems to give the DPI engine the order to decrypt this traffic (Source, Destination hit?). 

    If you have a Rule with "Do not decrypt" but block certain cipher, DPI will not decrypt but block. 

     

    __________________________________________________________________________________________________________________

  • Hi Toni,

    an interesting comment. Only one device is passed by the SSL/TLS rule all the rest cheerfully ignore the rule and connect without errors or at least errors that show in logviewer.

    I have functionality for the applications.

    Luk's failing site continues to work through firefox without a CA.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with 2 x APX120 - 20w. 
    If a post solves your question use the 'This helped me' link.