1 of 1 people found this helpful
While I don't have a fix, I thought you may want to know that we are using 22.214.171.124 and those sites work fine for us.
"Block Unknown Certificate Authorities" indicates that the signing CA is not part of your trusted CA list. Are you using the list that initially shipped with the product? There is an updated list available at
which contains more root and intermediate CAs. So far the feedback I have received on the updates list was pretty good, so maybe you want to give it a try?
As I understand it, there will be an issue with intermediate CAs where the cert uses the 'Authority Information Access' extension. This extension allows sites to simply include a link to the intermediate CA cert rather than having to provide the full chain. The latest version of browsers will follow the chain of links to see if there is a trusted root CA, but the MWG does not yet have that capability. So the MWG sees only the intermediate CA and blocks since it doesn't see the root CA which it probably trusts. McAfee has some solutions in the pipeline, including the ability to subscribe to a CA list from McAfee or support the AIA extension.
In the meantime, we've been manually adding dozens of intermediate CAs as we encounter them to the default CA list. This is on version 7.1.5, I am not sure what is different in 7.1.6, possibly there is an expanded CA list with that version.
The solution we usually use is not to import the site's or intermidiate site's certificate, but go all the way to the root issuer. This has solved every problem we've had except for one.
It is with logmeinrescue.com's root being Thawte, Inc. we've still had problems after importing the certificate. I have a suspicion that they may use another site, but the web reporter and wireshark haven't helped much :/
Still, the other 20 times or so this happened, that solved it.
I tested out ssllabs.com and was blocked also. After adding the StartComCertificationAuthority certificate I got through (see attached).
Thanks -- yes this is a box with the default CA list on it.
Funny - 2 sessions of quickstart consulting with McAfee/Accuvant, and an expensive onsite visit from a DLP consultant who used to be on the MWG support team, and you'd think someone would've mentioned that the 126.96.36.199 "stable" release's list of CA's is not exactly what you want.
the comment in regards to the AIA extension is correct. MWG 7.x does not support this at the moment. There is a feature request filed to get support, but it seems to be not yet available. We have seen more and more complaints about the CA list shipped with the product, so we decided to go ahead and create a new one within my team and manage it as good as possible. For MWG 7.2 and higher (once released) the list we maintain can be "subscribed", so in case we change it, the changes will automatically be applied to the list you are using (which requires that you trust our work, of course).
For older versions I export the latest version of the list and dump it into the Online Rule Set Library as a rule set (see above). It should work much better. In case you use it, any kind of feedback would be appreciated (as usual ;-)).
The major problem is that we do not really know what customers do. Some spend a lot of time to maintain a list that matches their needs and security guidelines, others do not care at all and want to have a default list which just works fine and does not need any manual work - so it is hard to find a perfect solution for everyone. Also this makes it very hard when you update from one version to another, we don´t want to simply overwrite the existing list of CAs and we do not really have a good way to "interact" with the Administrator and ask him what he wants (some customers even do the upgrades automatically overnight).
So most likely if you do not run a fresh installation you will find the "old" CA list (approx 100 entries). In this case I would always recommend to download the one provided in the link above, which has around 280 entries. You can use that list as a basis for your own list, or subscribe to it later and let us do the job.
Feedback is always welcome, of course.
An update to 188.8.131.52 alone wasn't sufficient for us, for what it's worth. Apparently the notion of the CA list carries with the policy.
The migration from older versions to 7.1.6 does not update the CAs list (as Andre outlined). For reference I have published the full list of changes, and specifically for the CAs, I have created a file which you can import to update the list. You can find this here:
I have a specific section and importable list of CAs that are default on 7.1.6 (that you would not get if you upgrade).