Broken Cert Chain

I have M270 with 12.5.1
There are a few sites that do not render correctly (some parts of the page do not show up at all). No errors get logged. When I use https packet filter rule, the page show up correctly.

I checked the SSL certs and the root and intermediate certs aren't listed on M270 cert list. I think that may be the cause.

How do I add those root and intermediate certs to M270 so that proxy content inspection works?

Comments

  • We have seen this and find it most commonly with Digicert certificates.

    Try this...
    Go to the site (from another machine or through the packet filter).
    Inspect the certificate and export the root CA cert and the intermediate cert.
    Import them in to the firebox as General Use certificates (root CA first)
    Try the proxy again.

    ~Jon

  • You can get cert packages from the cert vendors themselves as well and then import them.

    Gregg Hill

  • RonRon
    edited February 25

    These are the certs used on the site:
    https://letsencrypt.org/certificates/

    and the site is
    https://www.gellaboratories.com/laboratories/certifications

    I've imported isrg-root-x1-cross-signed.pem and lets-encrypt-r3-cross-signed.pem into WG (as General Use certificates). Web page is still not showing up correctly with Proxy rule.

    The entire section (see below) is missing with Proxy rule but show up correctly with packet filter rule. That missing section is what my user needs to download but unable to.

    CERTIFICATION FILES
    (missing section where all the clickable PDFs are listed)
    ADDITIONAL CERTIFICATION AND APPROVAL PROGRAMS

  • I'm running V12.7 beta, and I have no issues accessing that site.

    In recent versions of WSM Firebox System Manager -> View -> Certificates, there is an "Update Trusted CA Certificates" button, which may help, if you have that feature.

  • RonRon
    edited February 25

    I do have it and "Enable automatic update of trusted CA cert" is checked too. Manually update it and it says: "The most recent versions of the trusted CA certficates are already installed on the device."

    Do you see a clickable list under CERTIFICATION FILES like the following?

    A2LA DoD ISO 17025

    Alabama

    Alaska Drinking Water PFAS

  • I have a T20W running 12.6.4 and I see the page correctly when using HTTPS with DPI. There are no Let's Encrypt certs in my T20W.

    Gregg Hill

  • This is weird. When I added an exception to Allow www.gel-mobile.com (where all the PDFs are hosted on), the page renders correctly. I also deleted the Let's Encrypt certs that I added yesterday. The list under CERTIFICATION FILES all show now. Not sure what it is on that site to cause M270 to fail packet inspection.

  • "I have M270 with 12.5.1" may be an issue. You can check release notes for newer firmware to see if there is anything related.

    Gregg Hill

  • Maybe it's a problem with the www.gel-mobile.com site's "F" failing grade for their SSL/TLS as reported here https://www.ssllabs.com/ssltest/analyze.html?d=www.gel-mobile.com

    Gregg Hill

  • @Greggmh123 said:
    "I have M270 with 12.5.1" may be an issue. You can check release notes for newer firmware to see if there is anything related.

    I just upgraded to v12.7
    I still can't get the list of PDF without placing www.gel-mobile.com to bypqass content inspection.

  • What are your settings for the TLS profile on your HTTPS proxy action?
    I have: TLS v12.2; Only allow TLS compliant traffic, PFS Ciphers = Allowed

    I still have no issue accessing the PDFs there.

    Add a specific Inspect entry for www.gel-mobile.com at the top of your Domains list with Log selected, to help debug this.

  • TLS profile

    Minimum: TLS v1.2
    OCSP: Lenient
    PFS Ciphers: Allowed
    Only allow TLS compliant traffic: Unchecked
    TLS Compliance: Not enforced

  • Perhaps there is something in your HTTP proxy action specified in the HTTPS proxy action which is causing this access to fail.
    Make sure that you have Log selected on that HTTP proxy action for every Drop or Deny

  • This is what I see in my logs when I select Alabama:

    2021-05-03 15:25:12 Allow 10.0.1.2 50.56.212.218 https/tcp 60472 443 Trust-VLAN External ProxyAllow: HTTP request URL match (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="590" msg_id="1AFF-000B" proxy_act="HTTP-Client.DPI" rule_name="Default" dstname="www.gel-mobile.com" arg="/certifications/Alabama.pdf" geo_dst="USA" Traffic
    2021-05-03 15:25:12 Allow 10.0.1.2 50.56.212.218 https/tcp 60472 443 Trust-VLAN External ProxyAllow: HTTP Request categories (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.DPI" cats="Business and Economy" op="GET" dstname="www.gel-mobile.com" arg="/certifications/Alabama.pdf" action="WebBlocker.DPI" geo_dst="USA" Traffic
    2021-05-03 15:25:13 Allow 10.0.1.2 54.174.40.213 dns/udp 65225 53 Trust-VLAN External ProxyAllow: DNS question match (DNS-proxy-00) DNS-Outgoing.1 proc_id="dns-proxy" rc="590" msg_id="1DFF-000E" proxy_act="DNS-Outgoing.1" rule_name="Default" query_type="AAAA" question="www.gel-mobile.com" geo_dst="USA" Traffic
    2021-05-03 15:25:13 Allow 10.0.1.2 54.174.40.213 dns/udp 65225 53 Trust-VLAN External DNS request (DNS-proxy-00) DNS-Outgoing.1 proc_id="dns-proxy" rc="541" msg_id="1DFF-000F" proxy_act="DNS-Outgoing.1" query_type="AAAA" question="www.gel-mobile.com" geo_dst="USA" Traffic
    2021-05-03 15:25:13 Allow 10.0.1.2 50.56.212.218 https/tcp 60473 443 Trust-VLAN External ProxyInspect: HTTPS domain name match (HTTPS-proxy-for-Bruce-PC-00) HTTPS-Client-DPI proc_id="https-proxy" rc="592" msg_id="2CFF-0003" proxy_act="HTTPS-Client-DPI" rule_name="Default" sni="www.gel-mobile.com" cn="" ipaddress="50.56.212.218" geo_dst="USA" Traffic
    2021-05-03 15:25:13 Allow 10.0.1.2 50.56.212.218 https/tcp 60473 443 Trust-VLAN External ProxyAllow: HTTP request URL match (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="590" msg_id="1AFF-000B" proxy_act="HTTP-Client.DPI" rule_name="Default" dstname="www.gel-mobile.com" arg="/certifications/Alabama.pdf" geo_dst="USA" Traffic
    2021-05-03 15:25:13 Allow 10.0.1.2 50.56.212.218 https/tcp 60473 443 Trust-VLAN External ProxyAllow: HTTP Request categories (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.DPI" cats="Business and Economy" op="GET" dstname="www.gel-mobile.com" arg="/certifications/Alabama.pdf" action="WebBlocker.DPI" geo_dst="USA" Traffic
    2021-05-03 15:25:13 Allow 10.0.1.2 50.56.212.218 https/tcp 60472 443 Trust-VLAN External HTTP request (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.DPI" op="GET" dstname="www.gel-mobile.com" arg="/certifications/Alabama.pdf" sent_bytes="377" rcvd_bytes="893748" elapsed_time="1.126676 sec(s)" app_id="222" app_cat_id="14" app_name="HTTP" app_cat_name="Web services" sig_vers="18.145" reputation="50" geo_dst="USA" Traffic
    2021-05-03 15:25:13 Allow 10.0.1.2 50.56.212.218 https/tcp 60473 443 Trust-VLAN External HTTP request (HTTPS-proxy-for-Bruce-PC-00) HTTP-Client.DPI proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.DPI" op="GET" dstname="www.gel-mobile.com" arg="/certifications/Alabama.pdf" sent_bytes="405" rcvd_bytes="41835" elapsed_time="0.142014 sec(s)" app_id="350" app_cat_id="19" app_name="HTTP Protocol over TLS SSL" app_cat_name="Network protocols" sig_vers="18.145" reputation="50" geo_dst="USA" Traffic

  • @Bruce_Briggs said:
    Perhaps there is something in your HTTP proxy action specified in the HTTPS proxy action which is causing this access to fail.
    Make sure that you have Log selected on that HTTP proxy action for every Drop or Deny

    I'm looking at HTTP-Client.Standard.1 through Fireware Policy Manager. I can't find the location to enable logging on Drop/Deny. Where would I find that?

  • You need to look at each settings, such as URL Paths, the HTTP Response options, WebBlocker, GAV, etc.

  • Alternatively for testing, switch to HTTP-Client.Standard which will have the defaults which should include Log for any deny settings

Sign In to comment.