Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Custom-block-message not working for HTTPS websites

0

0

Article ID: KB32545 KB Last Updated: 04 May 2018Version: 1.0
Summary:

This article describes the default behavior of the Server Name Identification (SNI) method wherein a custom-block-message is not sent when HTTPS sites are blocked by using Enhanced Web Filtering (EWF). 

Symptoms:

When HTTPS traffic is blocked on sites, a custom-block-message is not seen in the case of the Server Name Identification (SNI) method as is with the SSL forward proxy method. 

Cause:

HTTPS is encrypted communication and to send a block message to the client, SRX needs to understand the encrypted message that is received.

Server Name Indication (SNI) is an extension of the SSL/TLS header, which carries the destination server's hostname during the HTTPS "client hello" exchange in clear text before the SSL handshake is complete. In SNI, SRX resets the connection as soon as it detects the configured hostname (the URL that needs to be blocked) in the "client hello." Because the connection is already reset, there is no way that SRX can reply with a custom-block-message.

On the other hand, SSL forward proxy allows a device to break a single communication between two end points into two halves—from PC to Proxy Server and Proxy Server to Web Server. In this case, when SRX detects the configured hostname (the URL that needs to be blocked) in the "client hello," it is able to send a custom-block-message to the client through the complete SSL exchange.

Solution:

This behavior is, however, not a limitation. It is expected as per design that SNI will not send a custom-block-message and SSL forward proxy will send one.

A custom-block-message, even if explicitly set by using the following configuration, will therefore not have any effect in SNI: 

set security utm feature-profile web-filtering juniper-enhanced profile wf-enhanced_TEST custom-block-message "Juniper Web Filtering has been set to block this site."

For more information about web-filtering with SNI and SSL forward proxy, refer to KB31122 - [SRX] Blocking HTTPS sites using EWF (Enhanced Web Filtering).

Note:

  • From version 12.3X48-D25 and later, all SRX devices (except vSRX) can integrate SSL proxy with the EWF feature.

  • From version 15.1X49-D40 and later, SRX can integrate SSL proxy with the EWF feature, thus allowing selective SRX devices (SRX340, SRX345, SRX5400, SRX5600, SRX5800, and vSRX instances) to extract the URL from the HTTPS connection. 

  • From 12.3X48-D45 or 15.1X49-D80 and later, support for SNI with EWF is available on the SRX platform.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search