This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL scanning implementation / Best practise (errorhandling....)

I´m interesting in your experiences with activating the ssl scanning feature. I implemented and activated it in an environment serving about 4000 users.Just to imagine, there are (per day) 11820 unique domains and 2300 unique users.

Many different webpages are visited and my experience is, that many sites are broken or not visible after activation. I have to create a lots of exceptions for ssl scanning and some for the certificate check. Sometimes I face problems with certificates, that seems to be ok (no problems with direct internet connection, works good with the same browser). What can cause this? Could it be, that the utm doesn´t know all public trusted root CAs?

So I´m interested in your experience, how to handle all this... Do you completely disable the certificate checks (because you might think the enduser would skip all the security warnings anyway? ) ? Or do you also prefer to create exceptions?

Ciao

Sebastian



This thread was automatically locked due to age.
Parents
  • I would also like to add to the previous responses by advising NOT to disable certificate validation.

    It's true that without HTTPS scanning, many users might ignore the certificate warning presented by the browser anyway. But with HTTPS scanning enabled, and certificate checking disabled, the browser would display no warnings at all. The SSL filtering has to replace the original certificate with a locally-signed one, which will always be valid and trusted for a browser that has trusted the UTM CA certificate.

    So disabling certificate validation effectively removes the ability for the browser to alert users to be on their guard. With cert validation enabled, the UTM may block some legitimate sites with minor cert issues, but it will remove the risk that a user clicking through a certificate warning will suffer a major security incident.

    Cheers
    Rich

    P.S. We do update the trusted certificate lists for the UTM but there may be times when the list gets out of sync with browsers. Feel free to submit any gaps that you notice via the feature request portal.
  • Hi Rich,

    here is one Site with a Symantec Certifcate. I often have problems with this certificates. Could you take a look at it and tell me, why the sophos throws an error here, while the browser ( has no trouble with it?

    https://portal.bibserve.com/ptl/login/pre-login.faces

    Who´s "responsible" for the problem? Webserveradmin or Sophos developers?

    Best Regards

    Sebastian

  • If you want to know more about the quality of certificates, please go to

    www.ssllabs.com and use their "Test your server".


    Here is the report for the site you mentioned.

    https://www.ssllabs.com/ssltest/analyze.html?d=portal.bibserve.com

    Off the top of my head, I suspect that the certificate chain issues are what are causing the certificate to be considered invalid by the UTM.  However the exact details here are at the limits of my knowledge.

    Similarly, using linux command line openssl

    $ openssl s_client -connect portal.bibserve.com:443
    CONNECTED(00000003)
    depth=0 /C=FR/ST=Puy-de-Dome/L=Clermont-Ferrand/O=Manufacture Francaise des Pneumatiques Michelin/OU=ZONE3/CN=portal.bibserve.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /C=FR/ST=Puy-de-Dome/L=Clermont-Ferrand/O=Manufacture Francaise des Pneumatiques Michelin/OU=ZONE3/CN=portal.bibserve.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /C=FR/ST=Puy-de-Dome/L=Clermont-Ferrand/O=Manufacture Francaise des Pneumatiques Michelin/OU=ZONE3/CN=portal.bibserve.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:/C=FR/ST=Puy-de-Dome/L=Clermont-Ferrand/O=Manufacture Francaise des Pneumatiques Michelin/OU=ZONE3/CN=portal.bibserve.com
       i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
    [...]

    SSL-Session:
        Protocol  : TLSv1
        Cipher    : AES256-SHA
        Session-ID: 25093A60818A4E52E886E79FC24CEFEF76A25A23031472DBE73F2DB1D9AB436F
        Session-ID-ctx:
        Master-Key: E2E62FCC19F95BB575B3436FD301174145390E61B440F0E29C1069252F06730CC216D71372FE297A00BA399D9CE47667
        Key-Arg   : None
        Start Time: 1457540674
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)

  • Confirmed with another SSL checker online tool. Administrator of that website didn't import all of the intermediate certificates.

Reply Children
  • Hey guys,

    thanks for this useful information. So now I know, that the webserver admin didn´t do his job right.... But in the moment Im getting tons of tickets with exactly this problem. Can I import intermediate certificates into the utm to solve this problem?

    The problem is, that the most browsers don´t have any problems with this missing certificates.... Propably they have installed all the necessary intermediate certificates....

    For me it doesn´t look as an option, to create uncountable exceptions for websites, where the problem is the webserver configuration itself.... I just want to find a practicable soltution for this...

  • I found something on the feature request portal, seems to be related to this topic:

    feature.astaro.com/.../2524138-astaroos-support-intermediate-cas

  • That feature request is unrelated.  That is regarding if you purchase a certificate that you want to use for WebAdmin, Portal, or WAF and the certificate requires intermediate CAs.

    Off the top of my head I think you should be able to install the intermediate certificates, however this is out of my area of expertise.  Try it and report back.  :)

  • You can install the intermediate certificates, if you can get hold of them.

    Browsers mask the problem of poorly-configured web servers by caching intermediate certificates that they download from well-behaved servers. So in the case cited by the OP, portal.bibserve.com has a cert signed by "Symantec Class 3 Secure Server CA - G4", which in turn is signed by a Verisign root cert. If you try to access this site on a brand new machine with a brand new browser, it will probably fail. However, as soon as you go to another site with a certificate signed by the same Symantec intermediate cert, your browser will store the intermediate cert in a cache. The next time you try to visit the broken site, the browser says "Hey, I know about that intermediate cert" and uses the cached copy to validate it.

    I found Firefox was the easiest way to capture the intermediate cert, save it, and install it to the UTM. I run a Mac, and both Safari and Chrome use OS X's built-in keychain manager, which doesn't seem to expose cached certs.

    In Firefox, I could click on the lock icon, go to More Information, go to the Security tab, go to View Certificate, Click on the Details tab, select the line under 'Certificate Hierarchy' for the Symantec Class 3 Secure Server CA, click Export... and save the certificate. This saved file, given a .pem extension, can be loaded into the UTM under Web Protection > Filtering Options > HTTPS CAs > Local verification CAs.

    To save the bother in this case, here is the contents of the cert used by portal.bibserve.com. Copy and paste it into a text file, save it with a .pem extension and it should import into your UTM:

    -----BEGIN CERTIFICATE-----
    MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
    yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
    ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
    U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
    ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
    aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
    CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
    BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
    YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
    A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
    9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
    s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
    L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
    Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
    AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
    Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
    HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
    hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
    Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
    A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
    FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
    Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
    H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
    Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
    QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
    TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
    Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
    -----END CERTIFICATE-----

    This would be a neat feature to add to the UTM, I agree. I've added it to the Uservoice forum here: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/12887928-cache-intermediate-https-issuer-certificates

    Cheers,
    Rich