cancel
Showing results for 
Search instead for 
Did you mean: 
seebvey
Level 10

CertificateChain.ContainsExpiredCA

Jump to solution

Hi,

i have a problem with one Web Gateway an the SSL Scanner.

For example if i go to www.vmwareforumemea.com, i get an error message that the CertificateChain contains Expired CA.

We use the Mcafee Maintained CA List.

In the rule tracing central i can see:   "SSL.Server.CertificateChain.ContainsExpiredCA<McAfee Maintained List> equals true"     true!

Same Website on three other Web Gateway's ist working.

"SSL.Server.CertificateChain.ContainsExpiredCA<McAfee Maintained List> equals true"     false!

How can i check and fix this problem?

best regards

Sebastian

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: CertificateChain.ContainsExpiredCA

Jump to solution

Hello,

I have been made aware that there is a known issue which can cause such a problem. Maybe a little background information:

The SSL Scanner related properties point to a "Certificate Chain" setting, which can be found in Policy->Settings->Engines->Certificate Chain. By default there is just one setting called "Default". Within this setting you make a relation to the list of certificate authorities which MWG uses to do the certificate verification etc. When you are affected by the known issue MWG will not (only) search through the list that is referenced in the setting, but also in other, probably older existing lists. We have seen this issue especially with the GlobalSign certificates which have been recently replaced.

On the affected MWG you should first of all ensure that the correct list is referenced in the setting. If you upgraded from older versions you may have more than one CA list. One of the lists is the "subscribed" list, which means it is maintained by McAfee. That list is called "Known CAs" usually. Please ensure that this list is configured in the setting, and no other list is referenced (you can use up to one maintained and one static list per setting).

After you have checked this please go to Policy->Lists and check if there is any other list of the type "certificate authority". If you find one you should check if it contains a "GlobalSign" CA. If you find such an entry, go ahead and delete it and check if that resolves the problem.

Additionally you should have a quick look at the update.log and verify that the maintained CA list is successfully updated. When you  trigger an update manually there should not be an issue talking to the update server when obtaining the latest version of the Root CA list. Otherwise it is possible that you are still running on an older list, which had older (expired) GlobalSign CAs in it. In this case an update of the lists should help.

By default there is a 5 minute cache enabled, which is called "SSL session cache" and is configurable from within the SSL Scanner related settings.

Best,

Andre

0 Kudos
8 Replies
asabban
Level 17

Re: CertificateChain.ContainsExpiredCA

Jump to solution

Hello!

The first item to check is the content of the McAfee Maintainted Root CA list. If the MWGs behave differently there should be a difference. I would check if the lists are identical on the system with the problem compared to the system which does not show a problem.

Best,

Andre

0 Kudos
seebvey
Level 10

Re: CertificateChain.ContainsExpiredCA

Jump to solution

Hi Andre,

thanks for your reply.

I checked the lists on the systems. They are identical.

The difference between the system is the version, but can this be a problem?

Version 7.3.2.1.x and 7.3.2.8.x.

Does Web Gateway any caching on Certificates?

regards

Sebastian

0 Kudos
asabban
Level 17

Re: CertificateChain.ContainsExpiredCA

Jump to solution

Hello,

I have been made aware that there is a known issue which can cause such a problem. Maybe a little background information:

The SSL Scanner related properties point to a "Certificate Chain" setting, which can be found in Policy->Settings->Engines->Certificate Chain. By default there is just one setting called "Default". Within this setting you make a relation to the list of certificate authorities which MWG uses to do the certificate verification etc. When you are affected by the known issue MWG will not (only) search through the list that is referenced in the setting, but also in other, probably older existing lists. We have seen this issue especially with the GlobalSign certificates which have been recently replaced.

On the affected MWG you should first of all ensure that the correct list is referenced in the setting. If you upgraded from older versions you may have more than one CA list. One of the lists is the "subscribed" list, which means it is maintained by McAfee. That list is called "Known CAs" usually. Please ensure that this list is configured in the setting, and no other list is referenced (you can use up to one maintained and one static list per setting).

After you have checked this please go to Policy->Lists and check if there is any other list of the type "certificate authority". If you find one you should check if it contains a "GlobalSign" CA. If you find such an entry, go ahead and delete it and check if that resolves the problem.

Additionally you should have a quick look at the update.log and verify that the maintained CA list is successfully updated. When you  trigger an update manually there should not be an issue talking to the update server when obtaining the latest version of the Root CA list. Otherwise it is possible that you are still running on an older list, which had older (expired) GlobalSign CAs in it. In this case an update of the lists should help.

By default there is a 5 minute cache enabled, which is called "SSL session cache" and is configurable from within the SSL Scanner related settings.

Best,

Andre

0 Kudos
seebvey
Level 10

Re: CertificateChain.ContainsExpiredCA

Jump to solution

Hi Andre,

thanky you very much.

Exaclty that was the problem. An old list with GlobalSign CA entries.

regards

Sebastian

0 Kudos
asabban
Level 17

Re: CertificateChain.ContainsExpiredCA

Jump to solution

Cool!

Thank you for the verification.

Best,

Andre

0 Kudos
darkfell
Level 9

Re: CertificateChain.ContainsExpiredCA

Jump to solution

why the website https://yadi.sk/ blocked by a rule Certificate chain contains expired certificate?

0 Kudos
asabban
Level 17

Re: CertificateChain.ContainsExpiredCA

Jump to solution

Hello,

an intermediate CA was missing in the chain, so MWG seemed to follow a wrong certification path. I have updated the list to include the missing intermediate CA. If you perform an engine update you should obtain the updated list. If you close and restart the browser access to yadi.sk should be possible.

Best,

Andre

0 Kudos
darkfell
Level 9

Re: CertificateChain.ContainsExpiredCA

Jump to solution

thanks, it works

Message was edited by: darkfell on 5/27/14 6:38:21 AM CDT
0 Kudos