ProxySG & Advanced Secure Gateway

 View Only

  • 1.  ssl server cert untrusted issuer

    Posted Aug 14, 2020 04:33 AM
      |   view attached
    Hello we have deploy ssl interception on bluecoat proxy
    with a generated csr from proxy then signing by a ca server then
    import the certificate to proxy and user pc push by gpo
    the ssl intercept is working

    but we have issue some website are have ssl server cert untrusted issuer 
    for now we are bypass ssl intercept for some destination.

    i already check the proxy have the ca and intermediate certificate
    we have 2 proxy one is 6.6.5.13 (have the issue) and 6.7.4.3 (good)
    both proxy have same ssl configuration

    i also have the pcap from both proxy

    any body have clue or solution for this issue  ?
    really apreciated for any responds

    Attachment(s)

    zip
    pcap proxy.zip   166 KB 1 version


  • 2.  RE: ssl server cert untrusted issuer

    Posted Aug 14, 2020 06:29 AM
    Dear Hadi,

    The ProxySG appliance has an internal trusted CA certificate list. If a web server has a certificate issued by a CA (Certificate Authority) that is unknown to the appliance, the appliance denies access by default. You may disable SSL server certificate validation for those websites as per below CPL to bypass this error.

    <SSL>
    url.domain=www.example.com server.certificate.validate(yes) server.certificate.validate.ignore(untrusted_issuer)

    Alternately you can add this unknown CA to ProxySG's trusted list under SSL > CA Certificates and add to browser-trusted. Use this solution only if you trust the CA.

    Thank you.

    Best Regards,
    Priyesh MP
    Solution Architect | Symantec Knight of the Year, Asia Pacific 2018
    Symantec Certified Specialist (in Blue Coat ProxySG)
    Softcell Technologies Global Pvt. Ltd.


    Original Message


  • 3.  RE: ssl server cert untrusted issuer

    Posted Aug 15, 2020 01:35 AM
    Hi,


    Please do the following 

    Did you put this certificate in the browser trusted??

    If not kindly  add this certificate to browser trusted.


    Regards,



    Original Message


  • 4.  RE: ssl server cert untrusted issuer

    Posted Aug 15, 2020 10:45 AM
    Edited by hadi Aug 15, 2020 10:46 AM
    hello thank you Priyesh and Shaikh for your suggestion

    yes we are install all the ca both on proxy and windows cert manager also the browser. 
    and i also add the ca on trusted browser in proxy setting.

    if we bypass untrusted ssl validation is normal okay on 6.6.5.13 (for now we are doing this)

    that make me confuse are the proxy is on 6.7.4.3 no need to bypass untrusted ssl validation all is working as expected
    but the proxy on 6.6.5.13 need to bypass untrusted ssl validation althought all the ca is installed
    and added to browser trusted (i also add the intermediate certificate to)

    do i need upgrade the proxy to 6.7.4.x too ?
    Original Message