cancel
Showing results for 
Search instead for 
Did you mean: 
ittech
Level 13

Certificate Verification

It seems as if the rule "Skip verification for certificates found in Certificate White List" isn't working. Specifically for government.hsin.gov. I have downloaded the certs for hsin.gov and government.hsin.gov and I am stiil being blocked by the "Block unknown certificate authorities" rule. I believe these all have default settings.

mcafee1.png

Any thoughts?

0 Kudos
9 Replies
asabban
Level 17

Re: Certificate Verification

Hello,

when I browse there I get redirected to auth.hsin.gov. Do you have that certicate allowed as well?

Additionally you can try to add the missing RootCA. It should be this one:

-----BEGIN CERTIFICATE-----

MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB

yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp

U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW

ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0

aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL

MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW

ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg

aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy

aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG

5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8

f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK

tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo

GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV

M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB

2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz

aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4

RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw

czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG

A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu

Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp

bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo

dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w

GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+

HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ

KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB

WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6

bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp

dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg

W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4

Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=

-----END CERTIFICATE-----

CRL URL: http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl

You can add it to the list of known RootCAs.

Best,

Andre

Nachricht geändert durch asabban on 26.08.11 01:25:00 CDT
0 Kudos
ittech
Level 13

Re: Certificate Verification

Yes I have these 3

hsin.gov

government.hsin.gov

auth.hsin.gov

and my users are still being blocked. Shouldn't the Certificate White list allow these?

0 Kudos
ittech
Level 13

Re: Certificate Verification

This is happening again with code-2.com when a user tries to log in.

0 Kudos
ittech
Level 13

Re: Certificate Verification

Okay fixed the code-2.com by tracking it down to the GeoTrust Global CA. The question still begs itself:

Why must I add these to the Default Trusted CA list when the sites should be stopped at the Certificate White List rule?

0 Kudos
asabban
Level 17

Re: Certificate Verification

Hello,

you are right. Adding the RootCA is the "more global" approach, since the list of RootCAs is not the most recent one on Web Gateway. With a recent list of known and trusted CAs there would be no need to add the entries to the "Certificate White List", thats why I suggested this approach.

But of course you are right in saying that adding the Certs to the "Certificate White List" should be enough. I have just tested the "Certificate White List" and have removed the RootCAs I have added to the storage, and Web Gateway allows me to access both, government.hsin.gov and code-2.com without problems. Without the "Certificate White List" entries I was blocked because of unknown RootCAs.


The question is now why my Web Gateway allows me to access, while yours does not. It somehow looks like the white list does not trigger for you as expected. Are you working in "normal" proxy mode or are you running in transparent bridge/router mode?

Can you maybe send me some more screenshot from your "Certificate White List"? The screenshot above looks good and identical to my SSL Scanner, but there seems to be a difference somewhere.

Best,

Andre

0 Kudos
ittech
Level 13

Re: Certificate Verification

We are in Transparent /Bridged mode.

I'll work on those screen shots

0 Kudos
ittech
Level 13

Re: Certificate Verification

Here's a little bit of a bigger shot

mcafee.png

Not sure if it matters, but when I was testing the government.hsin.gov site I had strange issues with the Certificate White List.

  1. Originally, I added hsin.gov added to my Certificate White List. This should've allowed any *.hsin.gov sites through, but it didn't.
  2. I added government.hsin.gov to the Certificate White List. This gave me an error for auth.hsin.gov.
  3. I added auth.hsin.gov to the Certificate White List. I was able to get through and thought I had solved the issue.
  4. When trying this on other machines I was still blocked. I tried this on 2 machines other than my own with 3 different users, all were blocked from governemnt.hsin.gov due to unknown certificate authority.
  5. Only adding the issuing CA of certificate for government.hsin.gov to the Default Trusted CA list solved the issue for all users.

Thanks for the help!

0 Kudos
asabban
Level 17

Re: Certificate Verification

Hello,

I have not taken a deeper look yet, but I wonder about one thing. You mentioned it was working fine for you, but was not working for others. When you did the tests on your workstation, were you also redirected to MWG via transparent bridge mode, or did you have your browser configured to talk to Web Gateway explicitly?

I am just wondering why it was working on your machine... (besides the fact that obviously the *.hsin.gov cert needed to be trusted multiple times for each side).

Can you clarify?

thanks,

Andre

0 Kudos
ittech
Level 13

Re: Certificate Verification

My machine is also connecting to the MWG transparently. It was a strange occurance

0 Kudos