Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 5624 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[7.504][solved]SSL Scanning

wingman
Hi All

I've placed the mozila network under the ssl and certificate exception and I am still unable to download addon/update the client.It seems that the exception is not applied.I've disabled and re enabled the http proxy,clearing cache,restarting ASG but still no luck.

the logs indicates that there is no exception applied

The SSL exception is applied to the whole Mozilla network (63.245.208.0/20)

2010:02:25-23:12:49 stuffman httpproxy[4097]: [0xa5b34e98] ssl_log_errors (ssl.c:41) C: 4097:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48
2010:02:25-23:12:49 stuffman httpproxy[4097]: [0xa5b34e98] ssl_log_errors (ssl.c:41) C: 4097:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:842:
2010:02:25-23:12:49 stuffman httpproxy[4097]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.*.*" user="***" statuscode="200" cached="0" profile="REF_gTJkfSrJvf (AD Users)" filteraction="REF_PAZIrYpGAv (AD Filter)" size="0" time="0 ms" request="0xa5b34e98" url="services.addons.mozilla.org/" exceptions="" error="" 
2010:02:25-23:12:53 stuffman httpproxy[4097]: [0xa5b11fc8] ssl_log_errors (ssl.c:41) C: 4097:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48
2010:02:25-23:12:53 stuffman httpproxy[4097]: [0xa5b11fc8] ssl_log_errors (ssl.c:41) C: 4097:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:842:


Thanks


This thread was automatically locked due to age.
  • 0
    interesting...Maybe the proxy isn't able to process netblocks...[:)]

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    interesting...Maybe the proxy isn't able to process netblocks...[:)]


    I am not sure to be honest. I've tried other exceptions for netblocks and they work fine so I am trying to understand whether it's just the SSL scanning exception that doesn't work with netblocks
  • 0 in reply to wingman
    Well, if the browser is passing a FQDN to the proxy, and not an IP, then I would think you would need the FQDN in the exceptions, not the IP...

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Well, if the browser is passing a FQDN to the proxy, and not an IP, then I would think you would need the FQDN in the exceptions, not the IP...



    dahh,,..That makes sense. I will have a go and post the results tomorrow. Thanks BrucekConvergent
  • 0 in reply to wingman
    I take it that worked fine judging by a post you made in another thread.  Happy to help.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    I take it that worked fine judging by a post you made in another thread.  Happy to help.


    well it make sense not to work if you need the FQDN.However, I am unable to add the whole mozilla network block (/20) as URL since when you try to update firefox you get multiple mirrors. I've added the mozilla.org exception and everything works fine though
    Thanks
  • 0
    the issue is the mozilla mirrors uses mirrors all over the world form third party servers.  There's no way to whitelist that except to exempt everything since their mirror network is worldwide via various third parties in a round robin format.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow