cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
feickholt
Level 10
Report Inappropriate Content
Message 1 of 6
‎07-17-2018 02:35 AM

Cert Issue

Hi

we tried to connect to https://signin.amazonaws.cn/saml

 

this is blocked due to Unknown CA.

 

I Tried to figure out which is the CA we don't know. This is the path we got without ssl interception. For me this looks ok. 

Unbenannt.PNG

All certs in this path are wellknown... 

 

Any Idea?

0 Kudos
Reply
5 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 6
‎07-17-2018 02:43 AM

Re: Cert Issue

Hi @feickholt,

 

I just checked this on a Web Gateway running 7.8.2 with a default config. With HTTPS Scanning enabled the site is working fine.

 

Maybe you can check which setting is used in the rule to check the certificate and also you can check if there is new content for the Known CAs list.

0 Kudos
Reply
feickholt
Level 10
Report Inappropriate Content
Message 3 of 6
‎07-17-2018 04:16 AM

Re: Cert Issue

We use 7.7.2

and uses the Known CAs supplied by MC.

I reloaded the List manually nothing changed

Here is the rule Unbenannt.PNG

Unbenannt.PNG

0 Kudos
Reply
feickholt
Level 10
Report Inappropriate Content
Message 4 of 6
‎07-17-2018 05:26 AM

Re: Cert Issue

something strange is regarding the certificate Chain length. The property show 1 but the right value must be 4

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6
‎07-17-2018 05:55 AM

Re: Cert Issue

Hi Frank,

Tried to reproduce the issue on my side as well, running 7.7.2.14 with default McAfee supplied list of known CAs, but without any success.

Also double-checked the certificate path and for me this looks totally fine just as you mentioned.

Not sure what might go wrong there, looks like a strange behaviour within your policy/environment...

Best
Steffen


0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 6 of 6
‎07-18-2018 03:17 AM

Re: Cert Issue

Hi, 

Hope you are doing well.

Below is the certificate being received at my end and website works fine with proxy and SSL enabled:-

 

Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4861
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 4857
Certificates Length: 4854
Certificates (4854 bytes)
Certificate Length: 1422
Certificate: 3082058a30820472a0030201020210097e6b210aaf0fbca1... (id-at-commonName=*.signin.amazonaws.cn)
Certificate Length: 1101
Certificate: 3082044930820331a0030201020213067f94578587e8ac77... (id-at-commonName=Amazon,id-at-organizationalUnitName=Server CA 1B,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1174
Certificate: 308204923082037aa0030201020213067f944a2a27cdf3fa... (id-at-commonName=Amazon Root CA 1,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1145
Certificate: 308204753082035da003020102020900a70e4a4c3482b77f... (id-at-commonName=Starfield Services Root Certificate Authority ,id-at-organizationName=Starfield Technologies, Inc.,id-at-localityName=Scottsdale,id-at-stateOrProvinceName=A

 

I would once suggest to again check the certificate being received to MWG with SSL inspection enabled  and check if certificate autheorities is present in the CA list being used in your policy.

 

If all look fine then you may open a case with support for further investigation.

 

Regards

Alok Sarda

 

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC