cancel
Showing results for 
Search instead for 
Did you mean: 

Cert Issue

Hi

we tried to connect to https://signin.amazonaws.cn/saml

 

this is blocked due to Unknown CA.

 

I Tried to figure out which is the CA we don't know. This is the path we got without ssl interception. For me this looks ok. 

Unbenannt.PNG

All certs in this path are wellknown... 

 

Any Idea?

5 Replies
McAfee Employee tpollok
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Cert Issue

Hi @feickholt,

 

I just checked this on a Web Gateway running 7.8.2 with a default config. With HTTPS Scanning enabled the site is working fine.

 

Maybe you can check which setting is used in the rule to check the certificate and also you can check if there is new content for the Known CAs list.

Re: Cert Issue

We use 7.7.2

and uses the Known CAs supplied by MC.

I reloaded the List manually nothing changed

Here is the rule Unbenannt.PNG

Unbenannt.PNG

Highlighted

Re: Cert Issue

something strange is regarding the certificate Chain length. The property show 1 but the right value must be 4

Re: Cert Issue

Hi Frank,

Tried to reproduce the issue on my side as well, running 7.7.2.14 with default McAfee supplied list of known CAs, but without any success.

Also double-checked the certificate path and for me this looks totally fine just as you mentioned.

Not sure what might go wrong there, looks like a strange behaviour within your policy/environment...

Best
Steffen


McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Cert Issue

Hi, 

Hope you are doing well.

Below is the certificate being received at my end and website works fine with proxy and SSL enabled:-

 

Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4861
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 4857
Certificates Length: 4854
Certificates (4854 bytes)
Certificate Length: 1422
Certificate: 3082058a30820472a0030201020210097e6b210aaf0fbca1... (id-at-commonName=*.signin.amazonaws.cn)
Certificate Length: 1101
Certificate: 3082044930820331a0030201020213067f94578587e8ac77... (id-at-commonName=Amazon,id-at-organizationalUnitName=Server CA 1B,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1174
Certificate: 308204923082037aa0030201020213067f944a2a27cdf3fa... (id-at-commonName=Amazon Root CA 1,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1145
Certificate: 308204753082035da003020102020900a70e4a4c3482b77f... (id-at-commonName=Starfield Services Root Certificate Authority ,id-at-organizationName=Starfield Technologies, Inc.,id-at-localityName=Scottsdale,id-at-stateOrProvinceName=A

 

I would once suggest to again check the certificate being received to MWG with SSL inspection enabled  and check if certificate autheorities is present in the CA list being used in your policy.

 

If all look fine then you may open a case with support for further investigation.

 

Regards

Alok Sarda

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator