8 Replies Latest reply on May 27, 2014 6:38 AM by darkfell

    CertificateChain.ContainsExpiredCA

    seebvey

      Hi,

       

      i have a problem with one Web Gateway an the SSL Scanner.

       

      For example if i go to www.vmwareforumemea.com, i get an error message that the CertificateChain contains Expired CA.

       

      We use the Mcafee Maintained CA List.

       

      In the rule tracing central i can see:   "SSL.Server.CertificateChain.ContainsExpiredCA<McAfee Maintained List> equals true"     true!

       

       

      Same Website on three other Web Gateway's ist working.

       

      "SSL.Server.CertificateChain.ContainsExpiredCA<McAfee Maintained List> equals true"     false!

       

      How can i check and fix this problem?

       

      best regards

      Sebastian

        • 1. Re: CertificateChain.ContainsExpiredCA
          asabban

          Hello!

           

          The first item to check is the content of the McAfee Maintainted Root CA list. If the MWGs behave differently there should be a difference. I would check if the lists are identical on the system with the problem compared to the system which does not show a problem.

           

          Best,

          Andre

          • 2. Re: CertificateChain.ContainsExpiredCA
            seebvey

            Hi Andre,

             

            thanks for your reply.

            I checked the lists on the systems. They are identical.

             

            The difference between the system is the version, but can this be a problem?

             

            Version 7.3.2.1.x and 7.3.2.8.x.

             

             

            Does Web Gateway any caching on Certificates?

             

            regards

            Sebastian

            • 3. Re: CertificateChain.ContainsExpiredCA
              asabban

              Hello,

               

              I have been made aware that there is a known issue which can cause such a problem. Maybe a little background information:

               

              The SSL Scanner related properties point to a "Certificate Chain" setting, which can be found in Policy->Settings->Engines->Certificate Chain. By default there is just one setting called "Default". Within this setting you make a relation to the list of certificate authorities which MWG uses to do the certificate verification etc. When you are affected by the known issue MWG will not (only) search through the list that is referenced in the setting, but also in other, probably older existing lists. We have seen this issue especially with the GlobalSign certificates which have been recently replaced.

               

              On the affected MWG you should first of all ensure that the correct list is referenced in the setting. If you upgraded from older versions you may have more than one CA list. One of the lists is the "subscribed" list, which means it is maintained by McAfee. That list is called "Known CAs" usually. Please ensure that this list is configured in the setting, and no other list is referenced (you can use up to one maintained and one static list per setting).

               

              After you have checked this please go to Policy->Lists and check if there is any other list of the type "certificate authority". If you find one you should check if it contains a "GlobalSign" CA. If you find such an entry, go ahead and delete it and check if that resolves the problem.

               

              Additionally you should have a quick look at the update.log and verify that the maintained CA list is successfully updated. When you  trigger an update manually there should not be an issue talking to the update server when obtaining the latest version of the Root CA list. Otherwise it is possible that you are still running on an older list, which had older (expired) GlobalSign CAs in it. In this case an update of the lists should help.

               

              By default there is a 5 minute cache enabled, which is called "SSL session cache" and is configurable from within the SSL Scanner related settings.

               

              Best,

              Andre

              • 4. Re: CertificateChain.ContainsExpiredCA
                seebvey

                Hi Andre,

                 

                thanky you very much.

                Exaclty that was the problem. An old list with GlobalSign CA entries.

                 

                regards

                Sebastian

                • 5. Re: CertificateChain.ContainsExpiredCA
                  asabban

                  Cool!

                   

                  Thank you for the verification.

                   

                  Best,

                  Andre

                  • 6. Re: CertificateChain.ContainsExpiredCA
                    darkfell

                    why the website https://yadi.sk/ blocked by a rule Certificate chain contains expired certificate?

                    • 7. Re: CertificateChain.ContainsExpiredCA
                      asabban

                      Hello,

                       

                      an intermediate CA was missing in the chain, so MWG seemed to follow a wrong certification path. I have updated the list to include the missing intermediate CA. If you perform an engine update you should obtain the updated list. If you close and restart the browser access to yadi.sk should be possible.

                       

                      Best,

                      Andre

                      • 8. Re: CertificateChain.ContainsExpiredCA
                        darkfell

                        thanks, it works

                         

                        Message was edited by: darkfell on 5/27/14 6:38:21 AM CDT