HTTPs/Secure Connection Fails - SSL_ERROR_RX_RECORD_TOO_LONG

Author Message
KevinL123

  • Total Posts : 1
  • Joined: 6/29/2017
  • Status: offline
HTTPs/Secure Connection Fails - SSL_ERROR_RX_RECORD_TOO_LONG Thursday, June 29, 2017 3:12 PM (permalink)
Hey everyone,
 
i purchased the GFI WebMonitor software to use it as category and DNS - based filter for unwanted traffic inside of our enterprise infrastructure.
So basically i just wanted to filter HTTP and HTTPs traffic without breaking any TLS-certificate connection.
Due to privacy concerns i really don't want to read or scan HTTPs Traffic but instead just block any DNS connections which are unwanted.
So far i managed to block many HTTP Requests and many category based Traffic.
 
As soon as i try to open any HTTPs Connections like "https://facebook.com" i get the following error message:
Mozilla Firefox: Secure Connection Fails - SSL_ERROR_RX_RECORD_TOO_LONG
IE/Edge: no secure connection to this site possible - the site u are trying to visit may uses insecure TLS or is to old.
Note: "de-de.facebook.com" gets blocked successfully because it is requested as HTTP and gets filtered by the WebMonitor
 
I troubleshooted alot and also blocked HTTP/HTTPS Connections, only allowing the Proxy by using the following Firewall Rules:
  1. Rule : Permit  --->  TCP  --->  <My Static Private IP>  --->  <Proxy Private IP>  --->  Port 8080
  2. Rule :  Permit  --->  TCP  --->  <Proxy Private IP>  --->  Untrusted-Net  --->  Port 80
  3. Rule :  Permit  --->  TCP  --->  <Proxy Private IP>  --->  Untrusted-Net  --->  Port 443
  4. Rule :  Deny  --->  TCP/UDP  --->  <My Static Private IP>  --->  Untrusted-Net  --->  Port 80
  5. Rule :  Deny  --->  TCP/UDP  --->  <My Static Private IP>  --->  Untrusted-Net  --->  Port 443
After that i also tried to use the HTTPs generated root-Cert from the GUI ( HTTPs-Scanning )
by including the .cer file to one of my trusted root certificate directorys exactly like described in your many tutorials.
Sadly without success. Even after changing from "Simple Proxy Mode" to "Gateway Mode" no change were noticeable while testing the configurations.

My current configuration is the following:
Version: GFI WebMonitor 10 (build: 20170516)
Network Mode: Gateway Mode
Transparent/Caching Proxy: Off
Database: Embedded
Security&Updates: Everything updated to the newest version

I really don't know what iam missing at this point...
Can anyone advise or is there anyone who could already fix this specific SSL_ERROR Problem??
Thanks alot! :)
 
Best regards,
KevinL123
<message edited by KevinL123 on Thursday, June 29, 2017 3:13 PM>
 
#1
    dhoengpreth

    • Total Posts : 4
    • Joined: 2/6/2017
    • Status: offline
    Re:HTTPs/Secure Connection Fails - SSL_ERROR_RX_RECORD_TOO_LONG Wednesday, July 19, 2017 5:37 AM (permalink)
    KevinL123


    Hey everyone,

    i purchased the GFI WebMonitor software to use it as category and DNS - based filter for unwanted traffic inside of our enterprise infrastructure.
    So basically i just wanted to filter HTTP and HTTPs traffic without breaking any TLS-certificate connection.
    Due to privacy concerns i really don't want to read or scan HTTPs Traffic but instead just block any DNS connections which are unwanted.
    So far i managed to block many HTTP Requests and many category based Traffic.

    As soon as i try to open any HTTPs Connections like "https://facebook.com" i get the following error message:
    Mozilla Firefox: Secure Connection Fails - SSL_ERROR_RX_RECORD_TOO_LONG
    IE/Edge: no secure connection to this site possible - the site u are trying to visit may uses insecure TLS or is to old.
    Note: "de-de.facebook.com" gets blocked successfully because it is requested as HTTP and gets filtered by the WebMonitor

    I troubleshooted alot and also blocked HTTP/HTTPS Connections, only allowing the Proxy by using the following Firewall Rules:
    1. Rule : Permit  --->  TCP  --->  <My Static Private IP>  --->  <Proxy Private IP>  --->  Port 8080
    2. Rule :  Permit  --->  TCP  --->  <Proxy Private IP>  --->  Untrusted-Net  --->  Port 80
    3. Rule :  Permit  --->  TCP  --->  <Proxy Private IP>  --->  Untrusted-Net  --->  Port 443
    4. Rule :  Deny  --->  TCP/UDP  --->  <My Static Private IP>  --->  Untrusted-Net  --->  Port 80
    5. Rule :  Deny  --->  TCP/UDP  --->  <My Static Private IP>  --->  Untrusted-Net  --->  Port 443
    After that i also tried to use the HTTPs generated root-Cert from the GUI ( HTTPs-Scanning )
    by including the .cer file to one of my trusted root certificate directorys exactly like described in your many tutorials.
    Sadly without success. Even after changing from "Simple Proxy Mode" to "Gateway Mode" no change were noticeable while testing the configurations.

    My current configuration is the following:
    Version: GFI WebMonitor 10 (build: 20170516)
    Network Mode: Gateway Mode
    Transparent/Caching Proxy: Off
    Database: Embedded
    Security&Updates: Everything updated to the newest version

    I really don't know what iam missing at this point...
    Can anyone advise or is there anyone who could already fix this specific SSL_ERROR Problem??
    Thanks alot! :)

    Best regards,
    KevinL123


    Maybe you must disable https scanning from setting menu. 
     
    #2
      Carly Sherman_GFI

      • Total Posts : 30
      • Joined: 4/21/2017
      • Status: offline
      Re:HTTPs/Secure Connection Fails - SSL_ERROR_RX_RECORD_TOO_LONG Wednesday, July 26, 2017 4:48 PM (permalink)
      Hi KevinL123 - if you are still having issues with your setup, I'd recommend submitting a support ticket to review your system and what you are trying to achieve with a tech. Login to your account to open a support case: https://accounts.gfi.com
       
      ~Carly
       
      #3
        Online Bookmarks Sharing: Share/Bookmark

        Jump to:

        Current active users

        There are 0 members and 1 guests.

        Icon Legend and Permission

        • New Messages
        • No New Messages
        • Hot Topic w/ New Messages
        • Hot Topic w/o New Messages
        • Locked w/ New Messages
        • Locked w/o New Messages
        • Read Message
        • Post New Thread
        • Reply to message
        • Post New Poll
        • Submit Vote
        • Post reward post
        • Delete my own posts
        • Delete my own threads
        • Rate post

        2000-2018 ASPPlayground.NET Forum Version 3.9