1 2 Previous Next 16 Replies Latest reply on Dec 10, 2014 2:03 PM by feickholt

    SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com

    Regis

      While I appreciate that MWG 7 is paranoid about certificate issuers, in MWG I'm getting blocked on a few rather trustworthy (we hope) sites using default SSL inspection policy templates.   I'm running 7.1.0.6.

       

      The blocked sites:

       

      https://www.ssllabs.com/   (very handy SSL certificate checker site for external websites):

      The certificate verification failed in rule 'Block Unknown Certificate Authorities'. Host: www.ssllabs.com

      (perhaps due to StartCom not being among the default trusted CA list?)

       

      ... Which was especially humorous because I learned of it as I was attempting to go to to see why MWG was also blocking McAfee software downloads at

      https://secure.mcafee.com/ 

      The certificate verification failed in rule 'Block Unknown Certificate Authorities'.                  Host: secure.mcafee.com

      (probably due to mistrust of a Comodo issued *.mcafee.com certificate?  Really McAfee, Comodo?  After this http://www.infoworld.com/d/security/hackers-target-google-skype-rogue-ssl-certif icates-603 all went down?  )

       

       

      Q: Could anyone kindly share the canonical solution for fixing these?

        • 1. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
          jspanitz

          While I don't have a fix, I thought you may want to know that we are using 7.1.6.1 and those sites work fine for us.

          1 of 1 people found this helpful
          • 2. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
            asabban

            Hello,

             

            "Block Unknown Certificate Authorities" indicates that the signing CA is not part of your trusted CA list. Are you using the list that initially shipped with the product? There is an updated list available at

             

            https://contentsecurity.mcafee.com/ruleset_library?q=50021

             

            which contains more root and intermediate CAs. So far the feedback I have received on the updates list was pretty good, so maybe you want to give it a try?

             

            Best,

            Andre

            • 3. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
              jbmartin6

              As I understand it, there will be an issue with intermediate CAs where the cert uses the 'Authority Information Access' extension. This extension allows sites to simply include a link to the intermediate CA cert rather than having to provide the full chain. The latest version of browsers will follow the chain of links to see if there is a trusted root CA, but the MWG does not yet have that capability. So the MWG sees only the intermediate CA and blocks since it doesn't see the root CA which it probably trusts. McAfee has some solutions in the pipeline, including the ability to subscribe to a CA list from McAfee or support the AIA extension.

               

              In the meantime, we've been manually adding dozens of intermediate CAs as we encounter them to the default CA list. This is on version 7.1.5, I am not sure what is different in 7.1.6, possibly there is an expanded CA list with that version.

              • 4. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
                ittech

                The solution we usually use is not to import the site's or intermidiate site's certificate, but go all the way to the root issuer. This has solved every problem we've had except for one.

                 

                It is with logmeinrescue.com's root being Thawte, Inc. we've still had problems after importing the certificate. I have a suspicion that they may use another site, but the web reporter and wireshark haven't helped much :/

                 

                Still, the other 20 times or so this happened, that solved it.

                • 5. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
                  ittech

                  I tested out ssllabs.com and was blocked also. After adding the StartComCertificationAuthority certificate I got through (see attached).

                   

                  Message was edited by: ittech on 3/22/12 1:44:29 PM EDT
                  • 6. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
                    Regis

                    Thanks -- yes this is a box with the default CA list on it. 

                     

                    Funny - 2 sessions of quickstart consulting with McAfee/Accuvant, and an expensive onsite visit from a DLP consultant who used to be on the MWG support team, and you'd think someone would've mentioned that the 7.1.0.6 "stable" release's list of CA's  is not exactly what you want.  

                    • 7. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
                      asabban

                      Hello,

                       

                      the comment in regards to the AIA extension is correct. MWG 7.x does not support this at the moment. There is a feature request filed to get support, but it seems to be not yet available. We have seen more and more complaints about the CA list shipped with the product, so we decided to go ahead and create a new one within my team and manage it as good as possible. For MWG 7.2 and higher (once released) the list we maintain can be "subscribed", so in case we change it, the changes will automatically be applied to the list you are using (which requires that you trust our work, of course).

                       

                      For older versions I export the latest version of the list and dump it into the Online Rule Set Library as a rule set (see above). It should work much better. In case you use it, any kind of feedback would be appreciated (as usual ;-)).

                       

                      The major problem is that we do not really know what customers do. Some spend a lot of time to maintain a list that matches their needs and security guidelines, others do not care at all and want to have a default list which just works fine and does not need any manual work - so it is hard to find a perfect solution for everyone. Also this makes it very hard when you update from one version to another, we don´t want to simply overwrite the existing list of CAs and we do not really have a good way to "interact" with the Administrator and ask him what he wants (some customers even do the upgrades automatically overnight).

                       

                      So most likely if you do not run a fresh installation you will find the "old" CA list (approx 100 entries). In this case I would always recommend to download the one provided in the link above, which has around 280 entries. You can use that list as a basis for your own list, or subscribe to it later and let us do the job.

                       

                      Feedback is always welcome, of course.

                       

                      Best,

                      Andre

                      • 8. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
                        Regis

                        An update to 7.1.6.1 alone wasn't sufficient for us, for what it's worth.  Apparently the notion of the CA list carries with the policy.

                        • 9. Re: SSL certificate issue - ironically with www.ssllabs.com... and secure.mcafee.com
                          Jon Scholten

                          The migration from older versions to 7.1.6 does not update the CAs list (as Andre outlined). For reference I have published the full list of changes, and specifically for the CAs, I have created a file which you can import to update the list. You can find this here:

                           

                          Default policy changelog

                           

                          I have a specific section and importable list of CAs that are default on 7.1.6 (that you would not get if you upgrade).

                           

                          Best.

                          Jon

                          1 2 Previous Next