Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 3722 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Certificate Errors with Transparent HTTP/S Scanning

nosajesahc
Astaro ASG Release 7.511

We're running into an error when trying to access HTTPS websites that use content delivery networks [CDN].  A big example is Facebook:

https://www.facebook.com/

After logging on to the encrypted version of facebook with Apple Safari, you see the text content, some static images but none of the user generated images.  If you try to individually load an image and then review the Safari certificate error you get the following window:



You can see that the original URL hostname was:
 

fbcdn-profile-a.akamaihd.net



From the error window you can see that the common name of the certificate generated by the Astaro gateway is:

a248.e.akamai.net



When access this page, the following log entry appears many times:

2011:08:17-17:18:46 gw httpproxy[6419]: [0xae575608] ssl_log_errors (ssl.c:41) C: 6419:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:842: 

The HTTPS Proxy CA is installed.  You can see it in the image above.  The HTTPS transparent proxy works for every site that doesn't use a CDN.  

I have tried many different combination of "Skip certificate checks" to no avail including using the ANY network.

If HTTPS scanning is disable, it works fine as seen below:



Any ideas?  Did I miss a thread on the site?  Is this a bug having to do with content delivery network SSL keys?

Here is a connection using openssl and our Proxy CA.  This is a connection to a student information service called Whipplehill.  They are using EdgeCast Networks to deliver content securely. 

chasej:~ teacher$ openssl s_client -CAfile ./certs/cacert.pem.cer -connect cdn.media78.whipplehill.net:443

CONNECTED(00000003)

depth=1 /C=us/L=Bethel, ME/O=Gould Academy/CN=Gould Academy Proxy CA/emailAddress=root@gouldacademy.org

verify return:1

depth=0 /C=US/ST=California/L=Santa Monica/O=EdgeCast Networks, Inc./CN=edgecastcdn.net

verify return:1

---

Certificate chain

 0 s:/C=US/ST=California/L=Santa Monica/O=EdgeCast Networks, Inc./CN=edgecastcdn.net

   i:/C=us/L=Bethel, ME/O=Gould Academy/CN=Gould Academy Proxy CA/emailAddress=root@gouldacademy.org

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDdTCCAt6gAwIBAgIPMZG1CYAET7aSGG3l3GNoMA0GC

*******CONTENT REMOVED************

lw0Hz9Rtaj6x3atY+Wdwg06Ir5BQeEDC9w==

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Santa Monica/O=EdgeCast Networks, Inc./CN=edgecastcdn.net

issuer=/C=us/L=Bethel, ME/O=Gould Academy/CN=Gould Academy Proxy CA/emailAddress=root@gouldacademy.org

---

No client certificate CA names sent

---

SSL handshake has read 1051 bytes and written 325 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES256-SHA

    Session-ID: 14702B00C76D23F81E8391CB8B16256CF2157289CEB5FB24D1FFD1A929C7F5E7

    Session-ID-ctx: 

    Master-Key: 3A02D5CDF54BC1E7CA8789BCEDA456DFA34AD2A46E7261A723959EDB6B9C5727076BD21A8E30B125876F5C56CB3ADB5C

    Key-Arg   : None

    Start Time: 1313618648

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

closed


Facebook: 

chasej:~ teacher$ openssl s_client -CAfile ./certs/cacert.pem.cer -connect fbcdn-profile-a.akamaihd.net:443

CONNECTED(00000003)

depth=1 /C=us/L=Bethel, ME/O=Gould Academy/CN=Gould Academy Proxy CA/emailAddress=root@gouldacademy.org

verify return:1

depth=0 /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net

verify return:1

---

Certificate chain

 0 s:/C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net

   i:/C=us/L=Bethel, ME/O=Gould Academy/CN=Gould Academy Proxy CA/emailAddress=root@gouldacademy.org

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDTTCCAragAwIBAgIPMYlrIuKop+

*********CONTENT REMOVED********************

tjV38FusmW+a4UDaFHNcpwokQCrYLDA41BDsWKPBtnAS

-----END CERTIFICATE-----

subject=/C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net

issuer=/C=us/L=Bethel, ME/O=Gould Academy/CN=Gould Academy Proxy CA/emailAddress=root@gouldacademy.org

---

No client certificate CA names sent

---

SSL handshake has read 1011 bytes and written 325 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES256-SHA

    Session-ID: DC0C399B682BD6AB14B44EB6BD6606A041290FDE5D0E84D11533CDC15DA78477

    Session-ID-ctx: 

    Master-Key: AA75229A2D7975A0C2C035A9A01BC31A8B31E19542D4E4140B9D238DDC25DDC18CA77D0E554BA513CD5512C4C31D46D7

    Key-Arg   : None

    Start Time: 1313618887

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Scott_Klassen
    If you are using the proxy in transparent mode, you can try using the transparent proxy skiplist for CDN/Akamai.  I'd also open up a support ticket with Astaro for this.


    Thanks for the suggestions.  Do you have an example for the CDN/Akamai skip list?  If so, could you link it here.  I haven't been able to find it.  I've tried creating my own but it hasn't been effective.

    Thanks,

    Jason
Cookie Information Banner