The issue of the first connection not being matched could be related to background handling of categorization in URL Filtering.Specifically, Domain objects are DNS-based and should correctly infer the IP addresses of a provided domain. The alternative of SNI-based matching is IP-based matching, which includes IP-based objects such as Host and Domain objects.Have you updated it recently? (the option is also in SmartDashboard) The most common reason for a certificate not being trusted is the HTTPS Inspection Trusted CAs being outdated.It actually provides more information if the specific case is set not be dropped in HTTPS Inspection's configuration in SmartDashboard. Unfortunately the log does not currently provide detailed information on this regard. There are a few potential reasons for a server certificate not to be considered valid, including being untrusted, malformed, not signed by its issuer, expired, revoked, missing critical fields, etc. If you see the logged certificate logged as invalid by the Gateway, it means that the server certificate is not considered valid for some reason.If we trusted any SNI presented by the client, our solution would be vulnerable to domain fronting. We must use a reliable source for the identity of the server.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |