ProxySG & Advanced Secure Gateway

Hi Team,

We are getting "untrusted SSL server certificate(ssl_server_cert_untrusted_issuer)"

We have already added teh CA certificate in the browser list and also the error seems like host name mismatch in the domain and the certificate which issued.

But customer confirmed that the url domain added in the certificate (SAN field) as well.

I am not sure that the proxy replaced with the legitimate one and show this error.

I have refered below KB which suggested to disable cert validation. please advice on this.

https://support.symantec.com/en_US/article.TECH246330.html

Thanks,

Ram

Hi Ram,

                    Can you share a pcap of this domain traffic for us to check ?

Hi Aravind,

I have shared the pcap output via PM

Thanks,

Ram

Hi Ram,

    The error you are getting on the client browser is due to the feature of “Preserve Untrusted”. Proxy will use the “default-untrusted” certificate to emulate so that the client browser will be showing the error and then can decide whether to allow or not. I have checked the pcap to see that the cert is issued by a CA called “Lufthansa CA”. Probably their internal one. Since their CA cert was not in the chain, did bit of google search to get it. This is attached to this comment. Add this in the proxy under SSL > CA Certificates and add to browser-trusted.

Attachment(s)

LufthansaCA.zip   1 KB 1 version