9 Replies Latest reply on Sep 2, 2011 12:53 PM by ittech

    Certificate Verification

    ittech

      It seems as if the rule "Skip verification for certificates found in Certificate White List" isn't working. Specifically for government.hsin.gov. I have downloaded the certs for hsin.gov and government.hsin.gov and I am stiil being blocked by the "Block unknown certificate authorities" rule. I believe these all have default settings.

       

      mcafee1.png

       

      Any thoughts?

        • 1. Re: Certificate Verification
          asabban

          Hello,

           

          when I browse there I get redirected to auth.hsin.gov. Do you have that certicate allowed as well?

           

          Additionally you can try to add the missing RootCA. It should be this one:

           

          -----BEGIN CERTIFICATE-----

          MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB

          yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

          ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp

          U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW

          ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0

          aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL

          MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW

          ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg

          aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy

          aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3

          DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG

          5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8

          f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK

          tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo

          GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV

          M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB

          2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz

          aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4

          RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw

          czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG

          A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu

          Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp

          bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo

          dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w

          GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+

          HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ

          KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB

          WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6

          bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp

          dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg

          W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4

          Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=

          -----END CERTIFICATE-----

           

          CRL URL: http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl

           

          You can add it to the list of known RootCAs.

           

          Best,

          Andre

           

          Nachricht geändert durch asabban on 26.08.11 01:25:00 CDT
          1 of 1 people found this helpful
          • 2. Re: Certificate Verification
            ittech

            Yes I have these 3

             

            hsin.gov

            government.hsin.gov

            auth.hsin.gov

             

            and my users are still being blocked. Shouldn't the Certificate White list allow these?

            • 3. Re: Certificate Verification
              ittech

              This is happening again with code-2.com when a user tries to log in.

              • 4. Re: Certificate Verification
                ittech

                Okay fixed the code-2.com by tracking it down to the GeoTrust Global CA. The question still begs itself:

                 

                Why must I add these to the Default Trusted CA list when the sites should be stopped at the Certificate White List rule?

                • 5. Re: Certificate Verification
                  asabban

                  Hello,

                   

                  you are right. Adding the RootCA is the "more global" approach, since the list of RootCAs is not the most recent one on Web Gateway. With a recent list of known and trusted CAs there would be no need to add the entries to the "Certificate White List", thats why I suggested this approach.

                   

                  But of course you are right in saying that adding the Certs to the "Certificate White List" should be enough. I have just tested the "Certificate White List" and have removed the RootCAs I have added to the storage, and Web Gateway allows me to access both, government.hsin.gov and code-2.com without problems. Without the "Certificate White List" entries I was blocked because of unknown RootCAs.


                  The question is now why my Web Gateway allows me to access, while yours does not. It somehow looks like the white list does not trigger for you as expected. Are you working in "normal" proxy mode or are you running in transparent bridge/router mode?

                   

                  Can you maybe send me some more screenshot from your "Certificate White List"? The screenshot above looks good and identical to my SSL Scanner, but there seems to be a difference somewhere.

                   

                  Best,

                  Andre

                  • 6. Re: Certificate Verification
                    ittech

                    We are in Transparent /Bridged mode.

                     

                    I'll work on those screen shots

                    • 7. Re: Certificate Verification
                      ittech

                      Here's a little bit of a bigger shot

                      mcafee.png

                       

                      Not sure if it matters, but when I was testing the government.hsin.gov site I had strange issues with the Certificate White List.

                       

                      1. Originally, I added hsin.gov added to my Certificate White List. This should've allowed any *.hsin.gov sites through, but it didn't.
                      2. I added government.hsin.gov to the Certificate White List. This gave me an error for auth.hsin.gov.
                      3. I added auth.hsin.gov to the Certificate White List. I was able to get through and thought I had solved the issue.
                      4. When trying this on other machines I was still blocked. I tried this on 2 machines other than my own with 3 different users, all were blocked from governemnt.hsin.gov due to unknown certificate authority.
                      5. Only adding the issuing CA of certificate for government.hsin.gov to the Default Trusted CA list solved the issue for all users.

                       

                      Thanks for the help!

                      • 8. Re: Certificate Verification
                        asabban

                        Hello,

                         

                        I have not taken a deeper look yet, but I wonder about one thing. You mentioned it was working fine for you, but was not working for others. When you did the tests on your workstation, were you also redirected to MWG via transparent bridge mode, or did you have your browser configured to talk to Web Gateway explicitly?

                         

                        I am just wondering why it was working on your machine... (besides the fact that obviously the *.hsin.gov cert needed to be trusted multiple times for each side).

                         

                        Can you clarify?

                         

                        thanks,

                        Andre

                        • 9. Re: Certificate Verification
                          ittech

                          My machine is also connecting to the MWG transparently. It was a strange occurance