It seems as if the rule "Skip verification for certificates found in Certificate White List" isn't working. Specifically for government.hsin.gov. I have downloaded the certs for hsin.gov and government.hsin.gov and I am stiil being blocked by the "Block unknown certificate authorities" rule. I believe these all have default settings.
when I browse there I get redirected to auth.hsin.gov. Do you have that certicate allowed as well?
Additionally you can try to add the missing RootCA. It should be this one:
You can add it to the list of known RootCAs.
AndreNachricht geändert durch asabban on 26.08.11 01:25:00 CDT
Okay fixed the code-2.com by tracking it down to the GeoTrust Global CA. The question still begs itself:
Why must I add these to the Default Trusted CA list when the sites should be stopped at the Certificate White List rule?
you are right. Adding the RootCA is the "more global" approach, since the list of RootCAs is not the most recent one on Web Gateway. With a recent list of known and trusted CAs there would be no need to add the entries to the "Certificate White List", thats why I suggested this approach.
But of course you are right in saying that adding the Certs to the "Certificate White List" should be enough. I have just tested the "Certificate White List" and have removed the RootCAs I have added to the storage, and Web Gateway allows me to access both, government.hsin.gov and code-2.com without problems. Without the "Certificate White List" entries I was blocked because of unknown RootCAs.
The question is now why my Web Gateway allows me to access, while yours does not. It somehow looks like the white list does not trigger for you as expected. Are you working in "normal" proxy mode or are you running in transparent bridge/router mode?
Can you maybe send me some more screenshot from your "Certificate White List"? The screenshot above looks good and identical to my SSL Scanner, but there seems to be a difference somewhere.
Here's a little bit of a bigger shot
Not sure if it matters, but when I was testing the government.hsin.gov site I had strange issues with the Certificate White List.
Thanks for the help!
I have not taken a deeper look yet, but I wonder about one thing. You mentioned it was working fine for you, but was not working for others. When you did the tests on your workstation, were you also redirected to MWG via transparent bridge mode, or did you have your browser configured to talk to Web Gateway explicitly?
I am just wondering why it was working on your machine... (besides the fact that obviously the *.hsin.gov cert needed to be trusted multiple times for each side).
Can you clarify?