Page 1 of 3 123 LastLast
Results 1 to 10 of 28
  1. #1
    Newbie
    Join Date
    Jul 2018
    Posts
    10

    Default Server SSL decrypt exception: Tag mismatch

    What exactly is a Tag mismatch? I am seeing more and more sites going dark with SSL inspection turned on, and this seems a server side error.

    Is there any option I can disable to allow the inspection to continue (via maybe a downgrade attack or the likes)? These cause the connection to be abandoned.

  2. #2
    Newbie
    Join Date
    Jan 2014
    Posts
    10

    Default

    Quote Originally Posted by jchoover View Post
    What exactly is a Tag mismatch? I am seeing more and more sites going dark with SSL inspection turned on, and this seems a server side error.

    Is there any option I can disable to allow the inspection to continue (via maybe a downgrade attack or the likes)? These cause the connection to be abandoned.

    Same issue here. Any luck?

  3. #3
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,129

    Default

    Quote Originally Posted by jchoover View Post
    What exactly is a Tag mismatch?
    I've never experienced this error and I'm not going to be any help, but I hate to see a couple people having this problem and it get completely ignored.

    I'm curious about what you see when the error occurs, besides sites "going dark." When you call it a "server side error" that means, to me, that the Web server for the site you're visiting is reporting an error. Is that correct?

  4. #4
    Newbie
    Join Date
    Jan 2014
    Posts
    10

    Default

    This is basically what happens

    e99df36f-3113-47fc-a4d6-2ec2ed6f2084.JPG

  5. #5
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,129

    Default

    Well, I did see the image but now it says the attachment is invalid. And I'm not sure this is the same problem being experienced by jchoover. Let's see if we can figure it out anyway.

    By default, SSL Inspector inspects very few targets. We have some specific ignore rules, and then some specific inspect rules, followed by the very important "Ignore Other Traffic" rule. You don't by any chance have the "Inspect All Traffic" rule enabled?

  6. #6
    Newbie
    Join Date
    Jan 2014
    Posts
    10

    Default

    Yes, I do, but I also just checked all my other untangle boxes and they do as well.

  7. #7
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,129

    Default

    If I delete SSL Inspector and reinstall it, that's not checked by default. In any case, I strongly recommend unchecking "Inspect All Traffic." It seems at first thought like a good idea to inspect all traffic, but the real point of doing SSL inspection is to help prevent harmful payloads coming down the pipe under the cloak of SSL. Targeted, selective inspection, as illustrated by the default inspect rules, accomplishes that adequately and with minimum site breakage.

  8. #8
    Newbie
    Join Date
    Jan 2014
    Posts
    10

    Default

    What about having Web Filter inspect SSL sites?

  9. #9
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,129

    Default

    Yes, I would.

  10. #10
    Newbie
    Join Date
    Jan 2014
    Posts
    10

    Default

    My question is if I turn off "Inspect all traffic" how will Web Filter inspect all sites?

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2