Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
6383 Views 12 Replies Latest reply: Jan 13, 2011 12:53 PM by ubahmapk RSS 1 2 Previous Next
beatles13cfpb Newcomer 39 posts since
Mar 11, 2010
Currently Being Moderated

Nov 23, 2010 5:06 PM

SSL SCANNER CERTIFICATE ERROR

Hi everybody,


I have an error with MWG 7.0. When I enable SSL Scanner, I get a "Certificate Error" on the Internet Explorer because the certicate is not the page's certificate, but the appliance's certificate. For example this happens with the McAfee page: https://secure.nai.com (the error from this page is the attached picture). How can I fix this error? I would appreciate any sugestions.


Thanks,


Carlos

Attachments:
  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Nov 23, 2010 6:32 PM (in response to beatles13cfpb)
    Re: SSL SCANNER CERTIFICATE ERROR

    Hey Carlos,

     

    So, in your rulesets, I'm guessing you enabled the "SSL Scanner", this will cause the Web Gateway to scan the SSL traffic. A byproduct of this will be that the Web Gateway will sign the server certificate (in your example it is secure.nai.com) with it's own root CA.

     

    And it looks like you do not have the Root CA added to the browsers "Trusted Root Certification Authorities". This can easily be configured individually under Tools > Internet Options > Content > Certificates. Alternativley this can be pushed out via GPO in your security settings.

     

    Otherwise if you do not want to perform SSL scanning, simply disable the ruleset and the browser errors will disappear.

     

    ~Jon

     

     

    Message was edited by: Jon Scholten on 11/23/10 6:32:20 PM CST
  • trishoar Apprentice 61 posts since
    Jan 28, 2010
    Currently Being Moderated
    3. Nov 25, 2010 10:48 AM (in response to beatles13cfpb)
    Re: SSL SCANNER CERTIFICATE ERROR

    Hi Carlos,

     

    The SSL scanner is a bit like a man in the middle attack, The  proxy will connect to the webserver and negotiate an SSL session, it is then able to decrypt the page, after scanning the content it will then re-encrypt the page and send it on the the end user. However as it does not have the webservers SSL certificate it is unable to sign it as like the orignal page, there for it has to re-encrypt the page using its own certificate.

    To make the SSL negotiation seamless, therfore, you need to install your own root certificate on all the clients that use the proxy server.

    Standard practice would also be to not decrypt highley senstive sites such as Banking.

     

    Regards,

     

    Tris

  • jont717 Champion 291 posts since
    Jan 4, 2011
    Currently Being Moderated
    4. Jan 7, 2011 7:41 PM (in response to trishoar)
    Re: SSL SCANNER CERTIFICATE ERROR

    I have this issue all the time too.  I have the certificate installed on all IE browsers but still get certificate errors on a lot of HTTPS pages.  

     

    Any ideas?

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    5. Jan 10, 2011 9:46 AM (in response to jont717)
    Re: SSL SCANNER CERTIFICATE ERROR

    Could you perhaps upload some screenshots? Specifically of the error, the certificate in question along with the chain?

     

    ~Jon

  • jont717 Champion 291 posts since
    Jan 4, 2011
    Currently Being Moderated
    6. Jan 10, 2011 10:00 AM (in response to Jon Scholten)
    Re: SSL SCANNER CERTIFICATE ERROR

    We have 2 gateways in Central Management Configuration mode.  Do they share the same "Web Gateway" certificate or do we need to install 2 certificates in IE?

     

    Thanks!

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    7. Jan 10, 2011 10:04 AM (in response to jont717)
    Re: SSL SCANNER CERTIFICATE ERROR

    So I take it that you did not have both certificates trusted, which is why you were getting prompted?

     

    You can indeed import the certificates from #1 onto #2. Did you create your own? All that needs to be done is to take the certificate, key, and password, then import it on to #2 under Policy > Settings > Set Client Context > Default.

     

    ~jon

  • jont717 Champion 291 posts since
    Jan 4, 2011
    Currently Being Moderated
    8. Jan 10, 2011 10:17 AM (in response to Jon Scholten)
    Re: SSL SCANNER CERTIFICATE ERROR

    I was asking if the clusters share the same Certificate?  When I log onto my Gateway, I do not see anyplace for another certificate, there is only one Default CA.  It looks like the cluster shares it just like the rule set.

     

    I don't get many certificate errors myself, just select people who do have the "Web Gateway" cert installed.

     

    What is McAfee's suggested setting to Financial/Bank SSLs?  Should they be skipping from SSL Scanning?

  • ubahmapk Newcomer 6 posts since
    Nov 25, 2009
    Currently Being Moderated
    9. Jan 11, 2011 1:21 PM (in response to jont717)
    Re: SSL SCANNER CERTIFICATE ERROR

    We generated a certificate and imported it into our primary appliance.  The secondary appliance picked it up automatically, so only one CA is installed in our browsers "Trusted Root Certification Authorities" store.

     

    No mention has been made of this in this thread that I've seen, but I noticed that Mozilla Firefox will happily use IE's proxy settings, but does not use IE's certificate store.  As a result, the user will be presented with the invalid cert error in Firefox, even if the CA has been installed into the IE certificate store.

     

    To remedy this, we generated a "Firefox Extension" that installed the CA into Firefox's CA store.  (Thunderbird behaves the same way -- it has its own CA store apart from Firefox and IE, that must also be updated if Thunderbird goes through the proxy.)

     

    So far in our testing, Google Chrome and Safari both use IE's proxy settings and certificate store and no additional configuration was required for those browsers.

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points