Certificate Errors on Websites

Hi all, for the past few months we have been having issues with several certificates on random websites. The end user basically sees a message saying that the site is insecure and asks them if they want to continue. It seems that if we bypass the Sophos Web Appliance fully it seems to work correctly, and once it has worked correctly once on a PC, it seems to continue working from that point onwards, regardless of user.

We do not use HTTPS packet inspection, but we do have the Sophos Certificate pushed to all clients which is in date.

Websites doing this at the moment for example are https://gov.uk and also https://icloud.com has been doing it too.

Has anyone experienced issues like this? Is there anything I can do with the Web Appliance to narrow down more what is happening here?

Thanks very much. 

  • Hi David,

    Both of those sites rank very well on ssllabs.. generally if your having issues with sites like (updates, or stores) the issue is not with the site itself, but more towards the back end servers.  Without https scanning the appliance will simply pass off that connection however there some cases  where you may need to make exclusions in your certificate validation.

    If you are not using certificate validation or https scanning, it could be the browser or other infrastructure rejecting the certificate. 

    In regards to pushing out the cert, if you are not using https scanning the only thing that would be good for is presenting dialogue boxes to users (block/war pages or policy violations) all of those pages are stored on an https server that uses that cert.  So without it, www.abc.com, policy violation .. applaince presents certificate to the client.. client clicks advanced, allow.. they would then get the "you have been blocked page" 

    Unfortunately the best way to troubleshoot these issues is wireshark/tcp dump.. or if you export the sophos_log to a syslog server you could search for rsn=1407 check out the full explanation of the sophos log here: wsa.sophos.com/.../index.html

  • Hi David Ashcroft,

    1. Were you able to access this websites before?

    2. Did you make any changes to the computer prior to this issue?

    Make sure that the Date and Time settings are correct.

    Some secure sites require the date and time match the date and time of the secure site. Sometimes, because of incorrect time, the certificates may show up as expired.

    Step 1:

    Set the Date/time correctly

    a. Just double-click on the time in the lower right corner on the Taskbar and set the time correctly.

    b. Be sure to check the time, month, date and the year. As soon as it is corrected, this will usually fix this issue.

    Step 2:

    You may even try to open the website in compatibility mode. Steps to follow:

    a. Put the URL link in the address bar

    b. Click on Compatibility tab beside the address bar

    Here is the link below for reference:

    http://www.microsoft.com/windows/internet-explorer/features/easier.aspx 

    Also refer the below link for more information:

    Warning message when a user tries to connect to a secure Web site by using Internet Explorer 7: "There is a problem with this website's security certificate"(It applies to IE8 as well)

    http://support.microsoft.com/kb/931850

    Step 3:

    Reset internet explorer settings and check if it helps.

    http://support.microsoft.com/kb/923737

    NOTE: The Reset Internet Explorer Settings feature might reset security settings or privacy settings that you added to the list of Trusted Sites. The Reset Internet Explorer Settings feature might also reset parental control settings. We recommend that you note these sites before you use the Reset Internet Explorer Settings feature gmail login.

    Hope this information is helpful.