1 2 Previous Next 12 Replies Latest reply: Jan 13, 2011 12:53 PM by ubahmapk RSS

    SSL SCANNER CERTIFICATE ERROR

    beatles13cfpb

      Hi everybody,


      I have an error with MWG 7.0. When I enable SSL Scanner, I get a "Certificate Error" on the Internet Explorer because the certicate is not the page's certificate, but the appliance's certificate. For example this happens with the McAfee page: https://secure.nai.com (the error from this page is the attached picture). How can I fix this error? I would appreciate any sugestions.


      Thanks,


      Carlos

        • 1. Re: SSL SCANNER CERTIFICATE ERROR
          Jon Scholten

          Hey Carlos,

           

          So, in your rulesets, I'm guessing you enabled the "SSL Scanner", this will cause the Web Gateway to scan the SSL traffic. A byproduct of this will be that the Web Gateway will sign the server certificate (in your example it is secure.nai.com) with it's own root CA.

           

          And it looks like you do not have the Root CA added to the browsers "Trusted Root Certification Authorities". This can easily be configured individually under Tools > Internet Options > Content > Certificates. Alternativley this can be pushed out via GPO in your security settings.

           

          Otherwise if you do not want to perform SSL scanning, simply disable the ruleset and the browser errors will disappear.

           

          ~Jon

           

           

          Message was edited by: Jon Scholten on 11/23/10 6:32:20 PM CST
          • 2. Re: SSL SCANNER CERTIFICATE ERROR
            beatles13cfpb

            Jon, thanks for your answer. Is it possible to conserve the original page's certificate, enabling the SSL Scanner?

             

            Thank you again.

             

            Carlos

            • 3. Re: SSL SCANNER CERTIFICATE ERROR
              trishoar

              Hi Carlos,

               

              The SSL scanner is a bit like a man in the middle attack, The  proxy will connect to the webserver and negotiate an SSL session, it is then able to decrypt the page, after scanning the content it will then re-encrypt the page and send it on the the end user. However as it does not have the webservers SSL certificate it is unable to sign it as like the orignal page, there for it has to re-encrypt the page using its own certificate.

              To make the SSL negotiation seamless, therfore, you need to install your own root certificate on all the clients that use the proxy server.

              Standard practice would also be to not decrypt highley senstive sites such as Banking.

               

              Regards,

               

              Tris

              • 4. Re: SSL SCANNER CERTIFICATE ERROR
                jont717

                I have this issue all the time too.  I have the certificate installed on all IE browsers but still get certificate errors on a lot of HTTPS pages.  

                 

                Any ideas?

                • 5. Re: SSL SCANNER CERTIFICATE ERROR
                  Jon Scholten

                  Could you perhaps upload some screenshots? Specifically of the error, the certificate in question along with the chain?

                   

                  ~Jon

                  • 6. Re: SSL SCANNER CERTIFICATE ERROR
                    jont717

                    We have 2 gateways in Central Management Configuration mode.  Do they share the same "Web Gateway" certificate or do we need to install 2 certificates in IE?

                     

                    Thanks!

                    • 7. Re: SSL SCANNER CERTIFICATE ERROR
                      Jon Scholten

                      So I take it that you did not have both certificates trusted, which is why you were getting prompted?

                       

                      You can indeed import the certificates from #1 onto #2. Did you create your own? All that needs to be done is to take the certificate, key, and password, then import it on to #2 under Policy > Settings > Set Client Context > Default.

                       

                      ~jon

                      • 8. Re: SSL SCANNER CERTIFICATE ERROR
                        jont717

                        I was asking if the clusters share the same Certificate?  When I log onto my Gateway, I do not see anyplace for another certificate, there is only one Default CA.  It looks like the cluster shares it just like the rule set.

                         

                        I don't get many certificate errors myself, just select people who do have the "Web Gateway" cert installed.

                         

                        What is McAfee's suggested setting to Financial/Bank SSLs?  Should they be skipping from SSL Scanning?

                        • 9. Re: SSL SCANNER CERTIFICATE ERROR
                          ubahmapk

                          We generated a certificate and imported it into our primary appliance.  The secondary appliance picked it up automatically, so only one CA is installed in our browsers "Trusted Root Certification Authorities" store.

                           

                          No mention has been made of this in this thread that I've seen, but I noticed that Mozilla Firefox will happily use IE's proxy settings, but does not use IE's certificate store.  As a result, the user will be presented with the invalid cert error in Firefox, even if the CA has been installed into the IE certificate store.

                           

                          To remedy this, we generated a "Firefox Extension" that installed the CA into Firefox's CA store.  (Thunderbird behaves the same way -- it has its own CA store apart from Firefox and IE, that must also be updated if Thunderbird goes through the proxy.)

                           

                          So far in our testing, Google Chrome and Safari both use IE's proxy settings and certificate store and no additional configuration was required for those browsers.

                          1 2 Previous Next