Hot!SSL inspection and dropbox

Author
tquessada
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/05/07 02:03:54
  • Location: France
  • Status: offline
2013/05/07 04:25:22 (permalink)
0

SSL inspection and dropbox

Hi everyone,

I' m trying to use SSL inspection on https policy rule, everything seem to work after importing the fortinet CA certs (Firefox) except dropbox (" can' t established secured connection" ).

I tried with windows and Linux after importing SSL CA cert but Dropbox refuse to connect.
My tests:
Firefox on https webiste :OK
curl -v https://www.dropbox.com: OK
openssl s_client -s connect www.dropbox.com: 443 -showcerts: OK display fortinet CA.

I can see with wireshark an TLSV1 error " unknown CA" .

I hope there is someone that solve this issue or that could explain my mistake.

Thansks for your help
#1

6 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    RE: SSL inspection and dropbox 2013/05/07 09:28:31 (permalink)
    0
    Maybe dropbox is not support the fortinet CA. You could place a fwpolicy rule before your general rule to make an exception.


    PCNSE 
    NSE 
    StrongSwan  
    #2
    romanr
    Platinum Member
    • Total Posts : 923
    • Scores: 34
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: offline
    RE: SSL inspection and dropbox 2013/05/07 14:55:28 (permalink)
    0
    The DropBox client does not use the machines certificate store to check validity. It has its own mechanism to check the authenticity of the server it is connecting to.

    So there is no possibility to decypher the DropBox traffic and scan it! In most scenarios this would lead to disallow DropBox at all, because it would make most security polices meaningless if you scan SSL on the one hand and have no control over DropBox...

    If you really need dropbox you would need to do it the way emnoc mentioned - find out the IPs of the dropbox servers and create a firewall policy for them above the ssl scanning policy.

    From a corporate point of view - If you need that kind of cloud feature for mobile and other devices: I would invest in some " private cloud" product and host it for myself (easy and not expensive with qnap or synology nas devices - but there are for sure a lot products on the market)...

    br,
    Roman
    #3
    tquessada
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/05/07 02:03:54
    • Location: France
    • Status: offline
    RE: SSL inspection and dropbox 2013/05/07 15:16:00 (permalink)
    0
    Thank for your help.

    Even with the Explicit porxy I can' t make SSL inspection and/or DLP working.

    I' ll follow your advice and i' ll try something like owncloud (opensource) or sharepoint (Microsoft Integrated).
    #4
    billp
    Expert Member
    • Total Posts : 846
    • Scores: 51
    • Reward points: 0
    • Joined: 2009/05/20 23:44:05
    • Location: Pacific Northwest
    • Status: offline
    RE: SSL inspection and dropbox 2013/05/07 21:53:49 (permalink)
    0

    If you' re using FortiOS 5.x, I' m wondering if you could create a special SSL exception for dropbox. I don' t think you could otherwise easily create a firewall policy to exempt Dropbox because it uses Amazon S3. You' d have to exclude all of Amazon S3 access.

    In the CLI, I found these:


    config ftgd-wf

    exempt-ssl {all | <category_str>} Enter categories to exempt from SSL inspection.


    If you try exempt-ssl ' File Sharing and Storage' it might ignore Dropbox. Might be worth a try.

    Bill

    ==========
    Fortigate 600C 5.0.12, 111C 5.0.2
    Logstash 1.4.1
    #5
    PaulMetz
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/17 06:23:40
    • Status: offline
    Re: SSL inspection and dropbox 2020/01/17 06:34:26 (permalink)
    0
    I'm no expert, but this is what i did. Under security Profiles, SSL/SSH Inspection. I first cloned the deep inspection and then exempt from SSL reputable websites. Under website categories I added Finance and banking, which included Dropbox. I still have a firewall antivirus and malware protection on each desktop, so I believe I should be good. You also have the ability to remove other websites from the Finance and banking template. Please let me know if anyone disagrees, I'm new to this but I also feel it is something most of us should know. After this be sure to edit your IPv4 Policy and link the SSL Inspection to your new custom SSL
    Paul
     
    #6
    aluby7
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/10 08:44:40
    • Status: offline
    Re: SSL inspection and dropbox 2020/02/10 08:52:27 (permalink)
    0
    I believe Dropbox usually only causes issues with the Desktop/Mobile Application. In the browser Chrome should pay attention to your internal certificates, but the application just fails if it see's something other than it's own certificate due to certificate pinning. This is also why iTunes has issues.
    #7
    Jump to:
    © 2020 APG vNext Commercial Version 5.5