Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 13089 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate Errors on Websites

David Ashcroft

Hi all, for the past few months we have been having issues with several certificates on random websites. The end user basically sees a message saying that the site is insecure and asks them if they want to continue. It seems that if we bypass the Sophos Web Appliance fully it seems to work correctly, and once it has worked correctly once on a PC, it seems to continue working from that point onwards, regardless of user.

We do not use HTTPS packet inspection, but we do have the Sophos Certificate pushed to all clients which is in date.

Websites doing this at the moment for example are https://gov.uk and also https://icloud.com has been doing it too.

Has anyone experienced issues like this? Is there anything I can do with the Web Appliance to narrow down more what is happening here?

Thanks very much. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi David,

    Both of those sites rank very well on ssllabs.. generally if your having issues with sites like (updates, or stores) the issue is not with the site itself, but more towards the back end servers.  Without https scanning the appliance will simply pass off that connection however there some cases  where you may need to make exclusions in your certificate validation.

    If you are not using certificate validation or https scanning, it could be the browser or other infrastructure rejecting the certificate. 

    In regards to pushing out the cert, if you are not using https scanning the only thing that would be good for is presenting dialogue boxes to users (block/war pages or policy violations) all of those pages are stored on an https server that uses that cert.  So without it, www.abc.com, policy violation .. applaince presents certificate to the client.. client clicks advanced, allow.. they would then get the "you have been blocked page" 

    Unfortunately the best way to troubleshoot these issues is wireshark/tcp dump.. or if you export the sophos_log to a syslog server you could search for rsn=1407 check out the full explanation of the sophos log here: wsa.sophos.com/.../index.html

Reply
  • 0

    Hi David,

    Both of those sites rank very well on ssllabs.. generally if your having issues with sites like (updates, or stores) the issue is not with the site itself, but more towards the back end servers.  Without https scanning the appliance will simply pass off that connection however there some cases  where you may need to make exclusions in your certificate validation.

    If you are not using certificate validation or https scanning, it could be the browser or other infrastructure rejecting the certificate. 

    In regards to pushing out the cert, if you are not using https scanning the only thing that would be good for is presenting dialogue boxes to users (block/war pages or policy violations) all of those pages are stored on an https server that uses that cert.  So without it, www.abc.com, policy violation .. applaince presents certificate to the client.. client clicks advanced, allow.. they would then get the "you have been blocked page" 

    Unfortunately the best way to troubleshoot these issues is wireshark/tcp dump.. or if you export the sophos_log to a syslog server you could search for rsn=1407 check out the full explanation of the sophos log here: wsa.sophos.com/.../index.html

Children
No Data
Unfiltered HTML