Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 5635 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[7.504][solved]SSL Scanning

wingman
Hi All

I've placed the mozila network under the ssl and certificate exception and I am still unable to download addon/update the client.It seems that the exception is not applied.I've disabled and re enabled the http proxy,clearing cache,restarting ASG but still no luck.

the logs indicates that there is no exception applied

The SSL exception is applied to the whole Mozilla network (63.245.208.0/20)

2010:02:25-23:12:49 stuffman httpproxy[4097]: [0xa5b34e98] ssl_log_errors (ssl.c:41) C: 4097:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48
2010:02:25-23:12:49 stuffman httpproxy[4097]: [0xa5b34e98] ssl_log_errors (ssl.c:41) C: 4097:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:842:
2010:02:25-23:12:49 stuffman httpproxy[4097]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.*.*" user="***" statuscode="200" cached="0" profile="REF_gTJkfSrJvf (AD Users)" filteraction="REF_PAZIrYpGAv (AD Filter)" size="0" time="0 ms" request="0xa5b34e98" url="services.addons.mozilla.org/" exceptions="" error="" 
2010:02:25-23:12:53 stuffman httpproxy[4097]: [0xa5b11fc8] ssl_log_errors (ssl.c:41) C: 4097:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48
2010:02:25-23:12:53 stuffman httpproxy[4097]: [0xa5b11fc8] ssl_log_errors (ssl.c:41) C: 4097:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:842:


Thanks


This thread was automatically locked due to age.
  • 0
    Did you just use the IP range as the exception, or the URL https://services.addons.mozilla.org/ ?  I would try the URL if you haven't yet.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    I've tried the whole /20 network [:)]
    I know it works cause I have couple of other exceptions and then removed them..I performed the same for another ONLY URL exception(another website) and worked fine! Do you think might be an issue when defining the network ?
  • 0
    I am able to see SSL exception for URL but not for Networks.Not sure if we meant to see SSL exception for /24 networks for example
  • 0
    or maybe their server is properly detecting your main in the middle interception and breaking like it should..[:)]

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    I've tried that with various networks and none of them work
  • 0
    try turning off https scanning

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    try turning off https scanning


    William all HTTPS site work fine (my exceptions as in place and I can see my certificate when connecting to https site)

    However, When I enable SSL scanning exception for a whole network  such as a.b.c.d/x, the SSL exception doesn't seem to work.However, when I do the same with a url it does
  • 0
    Update

    Since the network SSL doesn't work,I've managed to allow mozilla updates by allowing the Spefici URL.However, could someone from the ASTARO team confirm my initial thoughts?

    Thanks
  • 0
    Hi wingman,

    2010:02:25-23:12:49 stuffman httpproxy[4097]: [0xa5b34e98] ssl_log_errors (ssl.c:41) C: 4097:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48

    Reading this log line, it looks like your Client Browser doesn't have the Astaro AG Proxy CA installed. Yes, i admit that OpenSSL error messages are ugly...

    Regards,

    Sven.
  • 0 in reply to svens
    Hi wingman,

    2010:02:25-23:12:49 stuffman httpproxy[4097]: [0xa5b34e98] ssl_log_errors (ssl.c:41) C: 4097:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48

    Reading this log line, it looks like your Client Browser doesn't have the Astaro AG Proxy CA installed. Yes, i admit that OpenSSL error messages are ugly...

    Regards,

    Sven.


    Hi sven

    The CA is installed as I am able to browse all HTTPS sites with no issues. When I've added an SSL scannine exception for the specific URL instead of the whole network it worked fine which means it's definately not CA issue [:)]