This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to allow fetching movie list in MediathekView if SSL decryption is enabled?

macOS clients behind my XG (v17.5.14_MR-14) aren't able to use the software MediathekView because the movie list couldn't get loaded. Since I have SSL decryption enabled on the XG, I think that may be the reason for the issue. See error message below.

I alreaday made exceptions for ssl decryption for this domains and their subdomains: mediathekview.de, wikimedia.org, akamaihd.net
But without success. Can someone tell me how to fix this (regarding SFOS, I am at beginner level)?

Thanks!

 

Error message thrown out by Mediathek View:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:167)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1462)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1370)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:437)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
    at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
    at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
    at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
    at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
    at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
    at mediathek.filmlisten.FilmeLaden.hasNewRemoteFilmlist(FilmeLaden.java:104)
    at mediathek.filmlisten.FilmeLaden.performUpdateCheck(FilmeLaden.java:175)
    at mediathek.filmlisten.FilmeLaden.loadFilmlist(FilmeLaden.java:194)
    at mediathek.javafx.FilmListNetworkReaderTask.call(FilmListNetworkReaderTask.java:19)
    at mediathek.javafx.FilmListNetworkReaderTask.call(FilmListNetworkReaderTask.java:8)
    at javafx.concurrent.Task$TaskCallable.call(Task.java:1425)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.CompletableFuture$UniRun.tryFire(CompletableFuture.java:783)
    at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
    at java.base/java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1806)
    at java.base/java.util.concurrent.CompletableFuture$AsyncRun.exec(CompletableFuture.java:1792)
    at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
    at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1016)
    at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1665)
    at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1598)
    at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:177)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
    ... 43 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 48 more



This thread was automatically locked due to age.
Parents
  • Hello Sacha,

    Thank you for contacting the Sophos Community!

    Please provide a screenshot of the exceptions you created for this website. Did you create the exceptions following this KB

    Also if you can provide the logs in debug mode of the awarrenhttp_access.log it would be useful to see why the web filter might be blocking this. 

    To put the awarrenhttp service in debug mode, you need to SSH into the XG and press 5 > 3 to land in the advanced shell and from there type

    #service awarrenhttp:debug -ds nosync

    And after this type

    # cd /log

    And then 

    # cat awarrenhttp_access.log | grep "mediathekview.de" 

    Or  I would recommend you check the IP of one of the computers with the issue, and filter by IP

    # cat awarrenhttp_access.log | grep "192.168.15.10" 

    Regards,

     


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you,

    I've made the exceptions following the kb article, see the screenshots:

     

    The awarrenhttp service gave me this output:


    1599650282.579934414 [ 6687/    0x7119c600] fwid=4 fwflag="VS" iap=12 aap=8 conn_id=3666928992 id="0002" name="web request blocked" action="drop" method="CONNECT" srcip="172.16.16.37" dstip="88.99.10.179" user="" statuscode=200 cached=0 trxlen=0 rxlen=0 url="liste.mediathekview.de/" referer="" type="" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=205 cattime=39694 avscantime=0 fullreqtime=123445 ua="" activity="" av_transaction_id="" categoryname="Reference" category="61" app_id=0 app_name="None" app_cat="None"  exceptions=""

     

    Hope this gives important information.

  • Hello Sacha,

    Thank you for the follow-up.

    I wouldn't recommend you to select the option Destination IP address, only use the URL pattern matches.

    By the log provided the issue seems to be the XG AV is detecting something in the connection for the fwflag="VS" flag. Are you using Sophos or Avira AV? To check this please go to Protect >> Web >> General Settings >> Protection. Please change to Avira and try again.

    Either if this change fixes the issue or not please open a case with Support as this needs to be investigated. When opening the case feel free to reference this community link and send me the Case ID so I can follow-up.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Here's the screenshot of Protect >> Web >> General Settings >> Protection. I can't find the setting " Sophos or Avira AV" that you mentioned.

Reply Children