4 Replies Latest reply on Jan 8, 2011 8:46 AM by PhilM

    Certificate verification in every HTTPS pages

      Hello i have this weird problem, I enable ssl scanner and when somebody in my company opens a https page this messegae appears and keeps apearing every time they open a https page, if i disable the "certificate verification rule" everything works fine but the ssl antivirus verification wont work , any ideas how to resolve the issue?? thanks a lot for your help

        • 1. Re: Certificate verification in every HTTPS pages
          PhilM

          Oscar,


          The symptoms you are describing are a direct result of switching on the SSL Scanner function.

           

          In order to be able to scan SSL traffic, the web gateway performs what is effectively a man-in-the-middle attack - convincing the web site that it is the requesting client. This allows it to decrypt the connection and then be able to scan it's contents. As far as I know (and I have come across products from 3 different  vendors with SSL scanning capabilities) this same method is used by all  products claiming to perform SSL scanning.

           

          With the content scanned, it then has to re-encrypt the session and send it on to the original client PC. However, because the original certificate used by the web site has been used already, the web gateway re-signs the content with it's own certificate.

           

          Because this certificate is self-signed, the first thing users report is the sudden appearance of this error when SSL scanning is enabled. In the case of the Firefox error screen, if you click on the "Technical Details" link you will see evidence that the certificate has been signed by the Web Gateway appliance rather than the original web site (in your example - google.com). Using Internet Explorer, I believe that you have to select the "Continue..." option and once the web page has loaded you should see (next to the address field) a "Certficate Error" notification. Clicking on this will basically show the same information as you would see in the "Technical Details" link in Firefox.

           

          To get rid of this message (but keep SSL scanning enabled) it is necessary to import the certificate into the web browser's trusted root certficate store. Once it has been installed the Web Gateway's certificate will be trusted and will no longer generate the error. This needs to be performed on all client machines, which can be a pain. You should therefore be able to export the certficate from your Web Gateway appliance and then use Group Policy (or whatever you use in your organisation) to deploy this certficate to all users.

           

          Hope this helps.

          Regards,

          Phil.

          • 2. Re: Certificate verification in every HTTPS pages

            thanks a lot i will trie it, and post the results

            • 3. Re: Certificate verification in every HTTPS pages
              jont717

              Any results?  I still get many SSL errors in IE even with the Web Gateway certificate installed.  

               

              Firefox seems to work much better but our users use IE.   Almost every Verizon ssl site throws an error and you have to click "Continue" to get to the site. 

              • 4. Re: Certificate verification in every HTTPS pages
                PhilM

                If I remember my WebWasher v5/6 training, it was around the time when IE7 became the mainstream version. The instructor commented that using the certificate import wizard with default settings (which worked just fine with IE6) didn't work because the certificate was installed in the wrong certificate store.


                In IE7 (and IE8 of course), click on the "Continue to this web site (not recommmended)" option, to gain access to the site. When the site has loaded, click on the "Certificate Error" section next to the browser's address bar & click the "View Cetificates" link at the bottom of the sub-window. This pops-up the Certificate Window.

                 

                Click on the "Install Certficate" button, which starts the import wizard. Click Next, and when asked about where to store the certificate do not use the automatic option. Instead, select the "Place all certificates in the following store" option, and browse to the "Trusted Root Certificate Authorities" store.

                 

                Click OK, Next, and then Finish - confirming the action one final time before the appliance's certificate is finally installed.

                 

                It's been a while since I've had to do it with IE, as I tend to use Firefox all of the time. But give this a shot and you should be OK.