Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Subscribers 28 subscribers
  • Views 4253 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS handshake fatal alert: certificate unknown(46).

ScHwAnG86

Hi,

I am seeing these errors in the log for some websites which tend to utilise tracking information, particularly those which utilise a CNAME record to point to another address.

For example, the website t.myrenews.com.au is a CNAME that resolves to spgo.io, which has a valid certificate for this address.

Testing this on the console of the XG using openssl seems to happily resolve the CNAME, and accept the certificate, indicating no issue with the CA roots etc:

subject=CN = spgo.io

issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5515 bytes and written 445 bytes
Verification: OK

However, this is not the case when this website is loaded via another website - it appears that the sophos tries to perform the SSL/TLS validation on the CNAME itself, which fails, rather than the destination, which has the correct certificate:

Is this to be expected, and the only recourse is to exclude these addresses from SSL/TLS decryption as they arise? Should the Sophos appliance not be resolving the CNAME to the correct address before performing the TLS inspection, or is this happening on the browser side beyond our control?

Thanks



This thread was automatically locked due to age.
  • +1

    Hello ,

    Thank you for reaching out to the community, based on the error: " fatal alert certificate unknown(46)" - This is the browser refusing the communication. have you tried with different browser ? To fix this problem is to use a certificate trusted by the browser. In case of a self-signed certificate this means that you either have to import the certificate into the browser as trusted (in which case Subject Alternative Names in certificate must match the URL) or you add an explicit exception at the warning dialog you get when visiting the site.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML