Skip to main content
damianhlozano
damianhlozano
Explorer II
June 4, 2025
Question

Allow certificate for specific website

  • June 4, 2025
  • 1 reply
  • 1134 views

Hello team!

 

I hope you are fine!

Recently a user reported me a problem, after some troubleshooting, I find something new for me:

This is one of these enents, in SSL section:

 

date=2025-06-04 time=09:56:47 eventtime=1749041807646108870 tz="-0300" logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="root" action="blocked" policyid=25 poluuid="916a1a8a-ab4a-51ef-8238-c0f79567272e" policytype="policy" sessionid=234042452 service="HTTPS" profile="certificate-inspection_Alumnos" srcip=10.1.1.35 srcport=50274 srccountry="Reserved" dstip=104.21.96.1 dstport=443 dstcountry="United States" srcintf="VLAN1" srcintfrole="lan" dstintf="wan2" dstintfrole="wan" srcuuid="bc5355aa-c400-51ed-6f23-4fa5e520c8f9" dstuuid="5a9b4e2a-bf4c-51ed-dc50-e448f485ac50" proto=6 eventsubtype="encrypted-client-hello" hostname="cloudflare-ech.com" msg="SSL connection is blocked."

 

The certificate inspection profile, is the following:

 

config firewall ssl-ssh-profile

   edit "certificate-inspection_Alumnos"
      set comment "Read-only SSL handshake inspection profile."
      config https
      set ports 443
      set status certificate-inspection
      set quic inspect
      set unsupported-ssl-cipher block
   end
   config ftps
      set status disable
      set unsupported-ssl-version allow
      set unsupported-ssl-cipher block
   end
   config imaps
      set status disable
      set unsupported-ssl-version allow
      set unsupported-ssl-cipher block
   end
   config pop3s
      set status disable
      set unsupported-ssl-version allow
      set unsupported-ssl-cipher block
   end
   config smtps
      set status disable
      set unsupported-ssl-version allow
      set unsupported-ssl-cipher block
   end
   config ssh
       set ports 22
      set status disable
   end
   config dot
      set status deep-inspection
      set quic block
      set unsupported-ssl-cipher block
   end
   config ech-outer-sni
   edit "tls-ech"
      set sni "public.tls-ech.dev"
   next
   edit "defo.ie"
      set sni "cover.defo.ie"
   next
   edit "cloudflare-ech.com"
      set sni "cloudflare-ech.com"
   next
end

In this profile, I have not the "Exempt from SSL Inspection" section.

I konw I can create a new policy, just for this site, without SSL Inspection, but I prefer to avoid adding innecesary policies.

Do you know what can I do to allow access to "kidlocoding.com"?

 

Thanks in advance.

Regards,

Damián

1 reply

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
June 4, 2025

Hi @damianhlozano ,

 

The log message has clearly shown us the reason:  

eventsubtype="encrypted-client-hello"

 

In your SSL Inspection profile, it has the following setting:

 

Encrypted-Client-Hello.png

 

You may also use the following CLI command to change this setting:

 

config firewall ssl-ssh-profile
    edit "Clone of certificate-inspection"
        config https
            set unsupported-ssl-cipher block
            set encrypted-client-hello allow
       end

end

damianhlozano
damianhlozanoAuthor
Explorer II
June 4, 2025

Hello,

 

Thanks for your response!!

Sorry, I missed this.

Is this secure to allow "encrypted client hello"?

Maybe, there are another way than allow all connections with encrypted client hello.

 

Thanks in advance.

Regards,

Damián

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
June 4, 2025

Since you are using Certification Inspection, you have no way to decrypt the Encrypted Client Hello packets.  So it should be fine for you.

Terms & ConditionsAccessibility statement