Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Untanglit
    Join Date
    Mar 2020
    Posts
    19

    Question Trouble understanding dropped connection

    I'm using the Z4W appliance with the home pro license with SSL inspector configured and the root certificate installed on my PC.

    Today I was trying to log into PayPal and got the error that the connection was suddenly closed by paypal. Turning off SSL Inspector resolved the issue, until I turned SSL Inspector back on again then the issue returned. In SSL Inspector I un-checked the "Inspect All Traffic" box then that resolved the error, BUT when I re-checked the box the issue remained resolved!? So I opened a private browser (Google Chrome) and repeated the problem. SSL Inspector on, paypal doesn't load. SSL Inspector off, the page loads. Uncheck "Inspect All Traffic" and paypal loads, re-checking Inspect All Traffic and the problem again remains resolved!? Can anyone explain what's happening here? There must be some sort of key or certificate exchange that I'm not aware of, any info would be appreciated.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,186

    Default

    Working as intended, some services cannot be inspected. Inspect All Traffic is not recommended either.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,516

    Default

    Many secure site now have MITM protection for security which is what SSL Inspector is doing. The future of the Internet is to prevent inspection of encrypted traffic.
    f1assistance likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Master Untangler Sam Graf's Avatar
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    928

    Default

    You may be able to craft an SSL Inspector rule that ignores PayPal traffic (I do that on the business server for Square traffic). There are examples of this approach in the default rule set.

    wildcard.png

  5. #5
    Untanglit
    Join Date
    Mar 2020
    Posts
    19

    Default

    Thanks for the replies, I'll add a rule to ignore paypal traffic.

    With the goal being to scan as much as possible, especially since i have a teenager who I'm sure will at some point end up where he shouldn't be, what strategy do you all use for making rules on what to scan? The default rules seem to leave a lot out, unless I'm not understanding them correctly.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,186

    Default

    I don't use SSL inspector at all, Web Filter contains my kids with just SNI on all their devices without messing with certificate chains. I've even got devices flagged with the kids' names, so I can route to policies based on the names in question.

    Got four rules in there in particular... one for each kid that shoves their traffic into the grounded rack... I'll give you one guess as to what that does!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untanglit
    Join Date
    Mar 2020
    Posts
    19

    Default

    How do you see where they're going without SSL inspector now that chrome is supporting DOH by default? Web filter was giving me very little info until I enabled SSL I.
    Last edited by MattFL2; 03-04-2020 at 03:55 PM.

  8. #8
    Master Untangler Sam Graf's Avatar
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    928

    Default

    I don't have kids at home so I really don't count. But I do use SSL Inspector, so I'll throw my in.

    First, keep in mind that SSL Inspector acts on all HTTPS traffic by the default configuration. That's a much broader scope than suggested by the rules. And that's why I have to/want to exclude Square traffic on the business server. First, I want to make sure that traffic is allowed without problem from any device. Second, I should be able to trust that traffic. And third, that traffic is none of my business. Square itself tells the boss whatever she needs to know. But all that is in play because SSL Inspector processes all HTTPS traffic.

    I also look at SSL Inspector in a way that takes a cue from the default rules: If I have a specific concern about some website or service, I'll try to clear away any impediment to inspection by Untangle through SSL Inspector. So, I like the default YouTube rule, for example. I have no reason to trust YouTube even as I use it, and I don't want the other Untangle apps to silently fail to inspect YouTube traffic because it's encrypted.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,186

    Default

    Quote Originally Posted by MattFL2 View Post
    How do you see where they're going without SSL inspector now that chrome is supporting DOH by default? Web filter was giving me very little info until I emailed SSL I.
    I block QUIC, and force everything to use HTTPS, which provides SNI and the filter works. You're operating under the assumption that you can't filter... you can. Though if you put in the time, SSL inspector can provide greater insight to enable more accurate filtration. But if you don't need that accuracy, why bother?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untanglit
    Join Date
    Mar 2020
    Posts
    19

    Default

    My primary goals are (1) keeping my kid off of the back streets of the internet including bad things on google image search, and (2) catching any potential trojans or exploits that come from compromised web sites. A distant (3) is blocking ads. If you don't have teenagers, trust me that it takes teenage boys about 2 minutes with their buddies to find everything that cannot be unseen on the internet. So with these things in mind; I have 3 questions that I would love some help with:

    (1) will the default rules in SSL Inspector give the web filter enough info to accomplish these goals (as much as web filter is capable)?
    (2) What traffic does the "Inspect All Traffic" rule catch that goes uncaught without it?
    (3) If I set SSL Inspector to ignore traffic from my sons phone via. its MAC address (long story related to certificate pinning in the youtube app), will any useful scanning be done? Is there a way to at least scan DNS requests, though I realize they are now DOH?

    Side note; I found more web sites that the "Inspect All Traffic" interferes with so it's definitely looking like less of an option.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2