Is there a fix for err 20 & 21?
Ever since attaching a Samsung so-called "smart" TV to the network via Wi-Fi, I have been seeing these errors. They don't seem to affect things but it is a bit annoying.
2022-06-12 09:16:26 pxy Peer certificate preverify failed (err 20 : unable to get local issuer certificate) for [/C=KR/ST=Kyong-gi/O=Samsung Electronics/OU=Samsung Hubsite/CN=.samsungcloudsolution.net] (cert 0x1056f680, store 0x10a394b8)
2022-06-12 09:16:26 pxy Peer certificate preverify failed (err 21 : unable to verify the first certificate) for [/C=KR/ST=Kyong-gi/O=Samsung Electronics/OU=Samsung Hubsite/CN=.samsungcloudsolution.net] (cert 0x1056f680, store 0x10a394b8)
Q1: Is the use of the wildcard "*" even valid nomenclature
...and, more importantly...
Q2: Is there a way of fixing this so that the certificate look-up is resolved?
If the fix involves me downloading and installing a certificate (or three) to the Firebox, you'll have to give me the details like where to find the valid certificate(s). It has been centuries since I have had to do any of this type of network stuff.
Answers
One option is to not use the HTTPS proxy to allow traffic from the Samsung to the Internet.
To do this, add a HTTPS packet filter, From: the Samsung IP addr To: Any-external.
This policy should end up above the current HTTPS proxy policy. If it doesn't, then move it above the current one.
...and if the IP address is dynamically assigned using DHCP, be sure to reserve the IP address for the MAC of the device or you'll be chasing your tail for quite some time.
If I understand packet filters versus proxies, it appears the checking is less stringent with packet filters. In this situation, resolution of the certificate is avoided.
FYI - there is no checking of the contents of a packet when using a packet filter.
I separate these "entertainment devices" onto their own VLAN, and set up an "Any-Custom" policy for a while to see what they need to do their stuff. It used to be easy, but nowdays there is so much crap on these devices it is hard to do anything restrictive with them other than to keep them off your trusted network.
Adrian from Australia