cancel
Showing results for 
Search instead for 
Did you mean: 
erichk
Level 7

Certificate Chain Filter Error

I am seeing the following in the mgw-core.errors log:

[2012-08-14 19:18:49.618 -07:00] [CertificateFilterPlugin] [CannotLoadCRL] Cannot load CRL of CA 'GlobalSign - GlobalSign' with digest '31c069f477c7dce325b828886efda03f4008bf85' ('error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01').

and I'm getting the following emailed to me:

Update Event triggered [1651]:1 of the recently updated CRLs for the certificate chain filter can not be loaded; origin:Certificate chain filter; severity:4

MGW 7.2

What do I need to do to correct these errors? Any help is appreciated!

Erich

0 Kudos
8 Replies
seebvey
Level 10

Re: Certificate Chain Filter Error

Hello Erich,

i have the same problem on all my installations.

Yesterday i created a support ticket about this error.

Let's see what i'm getting back.

regards

seebvey

0 Kudos
asabban
Level 17

Re: Certificate Chain Filter Error

Hello,

do you see this always or does it happen from time to time? It looks like MWG was not able to download a CRL for one of the Root CAs which are used to verify server certificates. MWG contacts each of the known Root CAs and downloads the CRL from there, because there are a lot of CRLs that are updated it may happen from time to time that one of their servers is not available, which causes such a message.

If this only happens from time to time there is no need to worry. If it happens all the time it would be interesting to investigate. Please ensure that the CA is always the same (in the example above it is "GlobalSign - GlobalSign". If the name or digest is different you are most likely seeing a different problem. You could look up the CA in the configuration of your MWG and validate the CRL URL is set so "http://crl.globalsign.net/root-r2.crl". If you simply want to remove the warnings you could remove the URL completely. This will prevent MWG from downloading the CRL updates, which is most likely not what you want to do.

Best,

Andre

0 Kudos
seebvey
Level 10

Re: Certificate Chain Filter Error

Hi Andre,

i found the problem.

The CA "IPS Seguridad CA - IPS SERVIDORES" is expired in 2009!

I deleted the CA and the error is gone.

Sebastian

0 Kudos
asabban
Level 17

Re: Certificate Chain Filter Error

Hello,

yes this CA is expired. You can check the online rule set library for an updated list of Root CAs and a way to have the list automatically maintained.

Best,

Andre

0 Kudos
consoul
Level 9

Re: Certificate Chain Filter Error

How were you able to determine which crl it was? Did you check each one manually?

I wish McAfee had a log for just about every feature the box operates...

consoul
Level 9

Re: Certificate Chain Filter Error

Found my own answer two minutes too late, can be found in the /opt/mwg/log/mwg-errors/wg-core.errors.log

Thanks

0 Kudos
asabban
Level 17

Re: Certificate Chain Filter Error

Correct :-)

Best,

Andre

0 Kudos
jspanitz
Level 7

Re: Certificate Chain Filter Error

MWG 6 had a REALLY, REALLY, SUPER NICE SSL Manager and SSL Incident Manager interface which they REALLY, REALLY need to bring back REALLY, REALLY fast in MWG 7.  Please

0 Kudos