3 Replies Latest reply on Mar 25, 2016 7:16 AM by Prasanth Pavan

    SSL Cert Common Name Mismatch question

    jspanitz

      Just wondering how to modify the default regex for common name matching to incorporate multi sub domains.

       

      The certifiate verification failed due to a common name mismatch.

       

      Host: tmcm55.zg.trendmicro.com
      Common name: *.trendmicro.com
      Alternative subject names: regex([^.]*\.trendmicro\.com), regex(trendmicro\.com)
        • 1. Re: SSL Cert Common Name Mismatch question
          Jon Scholten

          That's an interesting one. Firefox blocks it too because of a common name mismatch.

           

          trendmicro.jpg

           

          You could create a rule like the following:

          -Criteria: SSL.Server.Certificate.HasWildcards equals True AND URL.Host matches SSL.Server.Certificate.CN

          -Action: Stop Ruleset

           

          This would fit the bill because URL.Host is "tmcm55.zg.trendmicro.com", and the CN is "*.trendmicro.com".

           

          Web gateway already has that, but converts it to a regex of "regex([^.]*\.trendmicro\.com)"...

           

          Best,

          Jon

           

          Message was edited by: jscholte on 3/25/14 5:37:18 PM CDT
          • 2. Re: SSL Cert Common Name Mismatch question
            Jon Scholten

            revised-rule.jpg

             

            Screenshot above shows a working rule, which modifies the default one.

             

            The criteria for the default rule is SSL.Server.Certificate.CN.ToWildcard, where as the rule in the screenshot is String.ToWildcard.

             

            The resulting regex is different, SSL.Server.Certificate.CN.ToWildcard is "regex([^.]*\.trendmicro\.com)", and String.ToWildCard is simply "*.trendmicro.com".

             

            Best,

            Jon

            • 3. Re: SSL Cert Common Name Mismatch question
              Prasanth Pavan

              Hi Jon Scholten,

               

              I have a small doubt here, if i want to write the for this site 2016-03-25_1743.png do i need to write the rule in the below way:

               

              SSL.Server.Certificate.CN.ToWildcard matches *.email.tvslsl.com



              OR



              SSL.Server.Certificate.CN.ToWildcard is "regex([^.]*\.email.tvssl\.com)" and String.ToWildCard is simply "*.email.tvslsl.com".



              kindly help.


              Regards,

              PRASANTH.