You want to use the error page on SSL sites and you have enabled SSL decryption on the proxy and despite this you still get the error ERR_TUNNEL_CONNECTION_FAILED
This new option is available on Artica 4.40 SP130. For 4.30 LTS see Pass first connection tunnel option
¶ The Default behavior
By default, with or without decrypting SSL protocol, a denied SSL site generates a connection error on browsers.
This behavior is normal because the SSL protocol ( an encrypted tunnel ) cannot be redirected before any SSL certificates exchange.
¶ SSL Decryption Compatibilty feature
Web filtering operates on the entire SSL protocol.
If you want to display the error page, Artica must pass the first connections in order to correctly send the redirect to the error page.
This means that if you activate this option, only decrypted sites will be processed by the web filtering.
You must understand that enable the SSL Decryption Compatibilty feature option modify the behavior:
“not decrypted sites will not be processed by the web filtering service.”
This is a global option.
To overcome this behavior and fix this limitation, keep this option off and use the filtering policies section.
- On the left menu, choose “
Filtering service” > “Error Page” - Click on the SSL Decryption Compatibility.
Turn ON the SSL Decryption Compatibility checkbox.
- Typicall, on the realtime-monitor, we can see that the
CONNECTprotocol to “sex[.]com” (1) is not blocked for certificate pining but the GET request (2) is blocked and correctly redirected to the Web error page.
