Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 63 replies
  • Subscribers 1 subscriber
  • Views 62900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Filtering Stops Working

tscott_16
I have a PC-based gateway with SSL web filtering enabled and everything works fine for a few days and then suddenly it stops working. I'm still able to surf the web just fine but anything HTTPS just passes right through without the filter ever even seeing it. I can reboot the gateway and SSL filtering works again. Any idea what's causing it to stop without warning?


This thread was automatically locked due to age.
  • 0 in reply to Michael Dunn
    I have no problems with kickstarter, with a machine installed yesterday.

    The actual CA certs are here:

    van-asg-03:/var/storage/chroot-http/etc/ssl/certs # ls -l /var/storage/chroot-http/etc/ssl/certs/*Daddy*

    -rw-r--r-- 1 root root 1499 Mar 17 17:17 /var/storage/chroot-http/etc/ssl/certs/Go_Daddy_Class_2_CA.pem
    -rw-r--r-- 1 root root 1438 Mar 17 17:17 /var/storage/chroot-http/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_G2.pem
    -rw-r--r-- 1 root root 1750 Mar 17 17:17 /var/storage/chroot-http/etc/ssl/certs/STATIC_GoDaddy.com_Inc_Go_Daddy_Secure_Certification_Authority.pem



    Here's my output:

     utm:/var/storage/chroot-http/etc/ssl/certs # l *Daddy*
    -rw-r--r-- 1 root root 1499 Mar 14 01:08 Go_Daddy_Class_2_CA.pem
    -rw-r--r-- 1 root root 1438 Mar 14 01:08 Go_Daddy_Root_Certificate_Authority_G2.pem
    -rw-r--r-- 1 root root 1750 Mar 14 01:08 STATIC_GoDaddy.com_Inc_Go_Daddy_Secure_Certification_Authority.pem


     utm:/var/storage/chroot-http/etc/ssl/certs # md5sum *Daddy*
    f811c878971847a9c7eb5dfc2cba0f37  Go_Daddy_Class_2_CA.pem
    bbebd091e6ec6505868bd96531c30238  Go_Daddy_Root_Certificate_Authority_G2.pem
    5a31942eb853c0db6cda76123114c8d2  STATIC_GoDaddy.com_Inc_Go_Daddy_Secure_Certification_Authority.pem
     utm:/var/storage/chroot-http/etc/ssl/certs #
  • 0 in reply to brassardv
    Im still having problem with godaddy.
    Since it not all SSL, like before, im using exeptions. And hoping sophos to push a patch.
    Do you have a support ticket on this ahargrove ?



    I have a case open through my reseller, not directly through Sophos...
  • 0
    Same error, same checksum :
    f811c878971847a9c7eb5dfc2cba0f37  Go_Daddy_Class_2_CA.pem
    bbebd091e6ec6505868bd96531c30238  Go_Daddy_Root_Certificate_Authority_G2.pem
    5a31942eb853c0db6cda76123114c8d2  STATIC_GoDaddy.com_Inc_Go_Daddy_Secure_Certification_Authority.pem

    Let wait for someone with working version to post a md5 checksum
  • 0
    For sites like kickstarter.com which uses GoDaddy's certificate chain, the entire certificate chain needs to be imported into the web proxy's CA section.  With the kickstarter.com case, "ValiCert Class 2 Policy Validation Authority" certificate needs to be imported into the proxy's CA.
  • 0
    Thanks jays it work for me to download and import the Valicert certificate.
    Kickstarter and wetransfer are now ok.

    Thanks you.
  • 0
    For people who are (or until recently were) experiencing the incorrect CA, can you please run this:
    zgrep cadata /var/log/up2date/2014/*/* | grep patch

    Specifically you are looking for a line like:
    /var/log/up2date/2014/02/up2date-2014-02-20.log.gz:2014:02:20-18:00:08 van-asg-02 auisys[8792]: Installing up2date package file '/var/up2date//cadata/u2d-cadata-9.52-53.patch.tgz.gpg'

    This patch from Feb 20 should have resolved this.
  • 0
    Michael, that patch was applied, but I still had to install the CA manually.  I reported this as a bug via Support last week, and I think a new patch is in preparation.

    Cheers - Bob
  • 0 in reply to Michael Dunn
    I get no output from this command and my system produces ssl errors requiring a reboot more than once per day.


    [FONT=monospace]2014:03:23-12:54:51  wahine httpproxy[5479]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="0xe8cd320" function="ssl_log_errors" file="ssl.c"  line="86" message="C 10.1.2.11: 4073585520:error:14094418:SSL  routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1256:SSL alert  number 48" [/FONT]
    [FONT=monospace]
    2014:03:23-12:54:51  wahine httpproxy[5479]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="0xe8cd320" function="ssl_log_errors" file="ssl.c"  line="86" message="C 10.1.2.11: 4073585520:error:140940E5:SSL  routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:989:" [/FONT]

    Rebooting restores functionality of ssl-based web connections (eg. https web sites).

    Reviewing the patches, here is a list of all patches made to the system since installation:

    up2date-2014-03-21.log.gz:2014:03:21-19:01:59 wahine auisys[16114]: Installing up2date package file '/var/up2date//aptp/u2d-aptp-9.787.tgz.gpg'
    up2date-2014-03-21.log.gz:2014:03:21-19:02:18 wahine auisys[16114]: Installing up2date package file '/var/up2date//geoip/u2d-geoip-7.82.tgz.gpg'
    up2date-2014-03-21.log.gz:2014:03:21-19:02:34 wahine auisys[16114]: Installing up2date package file '/var/up2date//ipsbundle/u2d-ipsbundle-9.124.tgz.gpg'
    up2date-2014-03-21.log.gz:2014:03:21-19:02:53 wahine auisys[16114]: Installing up2date package file '/var/up2date//avira3/u2d-avira3-9.5641.tgz.gpg'
    up2date-2014-03-21.log.gz:2014:03:21-19:03:37 wahine auisys[16114]: Installing up2date package file '/var/up2date//savi/u2d-savi-9.4669.tgz.gpg'
    up2date-2014-03-21.log.gz:2014:03:21-23:28:22 wahine auisys[13621]: Installing up2date package file '/var/up2date//aptp/u2d-aptp-9.788.tgz.gpg'
    up2date-2014-03-21.log.gz:2014:03:21-23:28:55 wahine auisys[13621]: Installing up2date package file '/var/up2date//savi/u2d-savi-9.4669-4670.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-04:05:36 wahine auisys[12250]: Installing up2date package file '/var/up2date//savi/u2d-savi-9.4670-4671.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-05:05:30 wahine auisys[15352]: Installing up2date package file '/var/up2date//avira3/u2d-avira3-9.5641-5642.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-05:20:34 wahine auisys[16163]: Installing up2date package file '/var/up2date//avira3/u2d-avira3-9.5642-5643.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-05:35:21 wahine auisys[16939]: Installing up2date package file '/var/up2date//aptp/u2d-aptp-9.789.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-05:50:38 wahine auisys[17924]: Installing up2date package file '/var/up2date//avira3/u2d-avira3-9.5643-5644.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-08:35:31 wahine auisys[26284]: Installing up2date package file '/var/up2date//avira3/u2d-avira3-9.5644-5645.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-09:05:29 wahine auisys[27839]: Installing up2date package file '/var/up2date//avira3/u2d-avira3-9.5645-5646.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-10:05:19 wahine auisys[30880]: Installing up2date package file '/var/up2date//geoipxtipv6/u2d-geoipxtipv6-9.34.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-10:20:45 wahine auisys[31698]: Installing up2date package file '/var/up2date//savi/u2d-savi-9.4671-4672.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-11:35:25 wahine auisys[3479]: Installing up2date package file '/var/up2date//aptp/u2d-aptp-9.790.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-15:05:46 wahine auisys[15548]: Installing up2date package file '/var/up2date//savi/u2d-savi-9.4672-4673.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-17:55:30 wahine auisys[7111]: Installing up2date package file '/var/up2date//aptp/u2d-aptp-9.791.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-20:25:47 wahine auisys[24882]: Installing up2date package file '/var/up2date//savi/u2d-savi-9.4673-4674.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-21:25:50 wahine auisys[32671]: Installing up2date package file '/var/up2date//savi/u2d-savi-9.4674-4675.patch.tgz.gpg'
    up2date-2014-03-22.log:2014:03:22-23:40:17 wahine auisys[16320]: Installing up2date package file '/var/up2date//aptp/u2d-aptp-9.792.tgz.gpg'




    It seens that UTMs will remain broken if one installed after the patch referred to above was released ('/var/up2date//cadata/u2d-cadata-9.52-53.patch.tgz.gpg').  That would elevate the severity of the problem, I assume.
  • 0
    Hi guys, I'm going to let support deal with this one, it's out of my area of expertise.

    The only other thing I have found out is this command:
    rpm -qa| grep u2d

    This will show currently installed versions.  This was supposed to be fixed in u2d-cadata-9-53.
  • 0 in reply to Michael Dunn
    Hi guys, I'm going to let support deal with this one, it's out of my area of expertise.


    I think it's broken beyond what is supportable.
    I've wiped and reinstalled 9.1x.

    Given government insertion in all things cryptographic and this being a German assets purchased by a US-British firm, I'm having some security gurus look at the nature of the issues here as well... but that will remain off-line.