Dusan
-
Posts
41 -
Joined
-
Last visited
Posts posted by Dusan
-
-
1 hour ago, itman said:
As you can see by the below screen shot, I can access that domain without issue. I obviously can't get to the 2FA web page w/o a valid logon for the site and having 2FA enabled.
On the 2FA web page you posted, check the cert. and verify it matches info listed for cex.io cert. added to Eset List of known certificates. However since the URL is the same as that for logon web page, I would suspect its using the same cert.. It really is starting to look like the 2FA processing is detecting Eset "in the web site examination loop" in some fashion and is blocking further 2FA processing.
BTW - I was able to add cex.io to List of known certificates via URL method w/o issue with SSL/TLS protocol scanning enabled. Perhaps you didn't specify the URL correctly. It must be https://cex.io
I can also access domain without issue. Only problem is when i enter email and password, and press sign in it just loading and cant get to 2FA. I added one URL, but later i added several options just to cover all URL. You can see in picture that i attach.
52 minutes ago, itman said:Did you add all the following? Per Robtex: https://www.robtex.com/ lookup:
I didnt use Robtex, i find DNS records over other metods but i checked on robtex and its same addresses.
You can check on picture that i attach. But still no success.
-
28 minutes ago, itman said:
Add cex.io domain to List of Allowed Addresses per below screen shot. I am not sure if this totally bypasses SSL/TLS protocol scanning. Ignore my "Notify when applying" and "Logging severity" settings:
I must say, problem with cert. is solved. Now its problem with protocol scanning, im sure. I tried this method and nothing.
21 minutes ago, itman said:How is this possible in Firefox? It's a Google store app and doesn't exist in FireFox's add-on list.
I use Google Authenticator on my phone to get acceess code to log in.
18 minutes ago, itman said:Also what is the URL shown for the cex.io 2FA web page? If it is not cex.io something, what we are attempting is not going to work.
Its same address as home page, only subdomain is ../auth/login.
I attach picture with protocol filtering disabled, there you can see address.
-
1 minute ago, itman said:
I found a YouTube video by CEX that explains the 2FA processing. It certainly looks like a web page to me. And again, I suspect it is using a different cert. than the rest of the cex.io web site.
Also here: https://support.cex.io/en/articles/4383389-two-factor-authentication-2fa-troubleshooting-tips , there is wording about Google Authenticator . Are you using that?
Yes im using Google Authenticator and im using that web site for a few years and didint have a problem until few monts ago.
And, yes its web page.
-
After some more testing, i think its not cert. problem here.
When i disable SSD/TLS, i cant log to website anymore. When i disable Application protocol content filtering, and left SSL/TLS enabled i can log on to website and 2FA is working fine. I left protocol content filtering disabled for a 20 minutes, and i log on to web site every time.
So i think its not problem with cert. anymore. Can you tell me what can i do to exclude protocol filtering on that website?
I tried to add IP address but no success there.
-
22 hours ago, Marcos said:
What about uninstalling Firefox, deleting user profiles and installing it from scratch?
Just to say that i install Win 10 on VM, install Firefox and free trial of Eset and same problem. Cant log in on website.
-
1 hour ago, itman said:
You are not paying attention to what I am posting:
You are accessing the cex.io website with SSL/TLS protocol scanning enabled. As such, the certificate exclusion is not being created properly. Note that the cert. you added has Eset as the cert. issuer.
Again ........
1. Delete existing cex.io entry from List of know certificates.
2. Disable SSL/TLS protocol scanning.
3. Download the cex.io web site certificate as previously posted.
4. Enable SSL/TLS protocol scanning.
5. Proceed to add previously downloaded cex.io certificate to List of know certificates using File method as previously posted.
Ok. I read again both posts. Now, i deleted old cert. Disabled SSL/TLS, donwloaded cex.io cert. Enabled SSL/TLS, and impoted cert. Still cant access web site.
But i need to mention, on cex.io it show me 3 tabs with certificate. I did that with only cex.io cert. Nothing.
Then i tried to add all 3, but first i deleted existing cert., and follow previous steps to download and import all 3 of them. Still nothing.
-
1 hour ago, itman said:
You didn't post any screen shots? We need a screen shot of the web page where you enter your 2FA data. That is if its actual a web page and not some type of popup screen being generated by the web site?
To download the web site certificate, perform the following. I will be using the Eset forum web page as an example on how to add a certificate using the "File" option:
1. Mouse click on lock symbol that precedes the URL.
2 Expand; i.e. mouse click on ">", Connection secure details.
3. Mouse click on More Information.
4. Mouse click on View Certificate:
5. Download the web site certificate to where ever by mouse clicking on PEM (cert):
6. Now add the certificate to Eset as shown in the below screen shot. Note: you are using the "File" option:
7. Set Scan action to Ignore:
8. The end result is certificate is added to Eset with it set to be ignored by SSL/TLS protocol scanning;
Omg, sorry. I fogot to attach pictures. I attach pictures that i suposed to add last night.
And also i tried what you told me without success. I added picture for that.
-
1 hour ago, itman said:
I assume then you just added the cert. for the web site's home page then? Check the cert. used on the web site's logon web page. Is it different than the one for the home page? My bank's web site literally uses a different cert. for every web site section accessed. If cert. for logon page different than home page, add the cert. exclusion for the logon web page.
In picture u will see name of the site and cert. for it. Strange is when i try to check cert. on Firefox page i just show that it doesnt recognize cert.
But when i try to import cert from URL on Eset it show different cert. You can see on second picture. I checked on Firefox and it is listed on trusted cert.
Also, when i go to trusted cert. in Firefox and export it, i cant import on Eset.
-
17 minutes ago, itman said:
Ok. I guess you never used Eset Banking & Payment Protection for anything since it will ask you whether you want to add the web site certs. there.
No i dont use Eset Banking & Payment Protection.
17 minutes ago, itman said:So its on to Plan B:
To do this, you will have to temporarily disable SSL/TLS protocol filtering. Then add the cert. associated with the 2FA web page. "My gut is telling me" this web page is using a different cert. than the rest of the URL's associated with the web site. Make sure you re-enable SSL/TLS protocol filtering afterwards.
I cant do it in exact order. When i disable SSD/TLS protocol filtering every other option is greyed out so i cant add cert.
I left enabled and add cert but still nothing.
-
1 hour ago, itman said:
The easiest way to do this is to exclude the entire web site from SSL/TLS protocol scanning.
Refer to this: https://support.eset.com/en/kb5833-manage-protocolssltls-filtering-in-eset-windows-home-products . Scroll down to this section in the article - "SSL/TLS Scanning." Proceed to this sub-section Remove a certificate from the known certificates list. Important - we are not removing anything. Only use this as a guide to find the cert. associated with the 2FA web site you having issues with. Select the site URL - certificate entry and mouse click on the Edit tab. Change the "Scan action" to Ignore. Save your changes. Verify that changes were made.
Now try to access this 2FA web site you're having issues with.
In list of known certificates i dont have anything, so i cant edit any of certificate associated with that web site.
-
1 hour ago, itman said:
I will also add that not all two factor authorization processing is the same.
My bank has 2FA and I have no issues with Eset's B&PP using Firefox.
Eset doesn't perform SSL/TLS protocol scanning for my bank's web sites. Therefore the solution, as I see it, is to exclude these web sites with 2FA from Eset SSL/TLS protocol scanning. Also, it is likely that the 2FA web page has a unique cert. associated with it. So that would be the cert. that needs to be excluded. Problem is you will have to temporarily exclude Eset SSL/TLS protocol scanning to access the 2FA web page, then exclude that cert. and re-enable Eset SSL/TLS protocol scanning.
Yea, probably it has. And im sure it is something with that because when i disable SSL/TLS protocol filtering everything is working fine on that website. Can you help me with excluding certificate?
Do you mean to go in List of know certificate, import if from URL, and allow access and ignore scan for that certificate?
-
2 hours ago, itman said:
Based on this: https://dimitri.janczak.net/2019/11/25/firefox-displays-ssl-error-sec_error_inadequate_key_usage-when-using-self-signed-certificate/ , I would say Eset's root CA certificate needs to be added Firefox's Authority store.
I suspect the 2FA validation process is performing additional certificate verification processing in regards to cert. chaining activities.
Ok i tried with this and i think it did solved problem with ESMC, so far i didint received error.
But problem with 2FA is still the same.
1 hour ago, itman said:I will also add that not all two factor authorization processing is the same.
My bank has 2FA and I have no issues with Eset's B&PP using Firefox.
Here's the solution to the issue. Eset doesn't perform SSL/TLS protocol scanning for my bank's web sites. Therefore the solution, as I see it, is to exclude these web sites with 2FA from Eset SSL/TLS protocol scanning.
Yea, i know its not the same. For instance, i have 2FA on multiple website, but i have only problem with this one. So i tried excluding that website on protocol filtering (excluded IP addresses).
But can you tell me how can i exclude from SSL/TLS protocol scanning? I only know for list of SSL/TLS filtered applications.
1 hour ago, Marcos said:What about uninstalling Firefox, deleting user profiles and installing it from scratch?
Frankly, i didint tried that because it is my last option. If im sure that this is problem i will do it. But i will try to install Win 10 on VM and i will try there, to be sure will it work as fresh install.
-
Tried that but it didnt solve anything.
-
Example, when i try to log on website, after enter username and password, i should get windows for 2FA. But when i press log in button, screen is just loading.
With Chrome, Edge i dont have that problem on same website. With Firefox i can only solve that when i disable SSL/TLS protocol filtering.
On my office PC, when i try to access that website problem is the same (on office pc im using Endpoint Security).
Also, i have problem accessing ESMC over Firefox. Error page is in attachment. When i switch to Chrome i dont have that problem.
-
Hi. As title say i have problem lately with Firefox and ESET. When i try to load website or log in and get 2FA nothing happend.
I can only solve this problem when i disable SSL/TLS protocol filtering.
So, I checked certificates and in Windows Trusted root i have ESET SSL Filter CA. I also check thumprint and its same registered in ESET root certificate. Also i check in Firefox and i dont have ESET SSL Filter CA registered there but in Firefox, but it think is ok because i have there two options set on true.
security.certerrors.mitm.auto_enable_enterprise_roots - true
security.enterprise_roots.enabled - true
Any idea what else can i check and try?
ESET SSL on Firefox cant access website
in ESET Internet Security & ESET Smart Security Premium
Posted
Im not sure that issue is Google Authennticator because everything is working fine as soon as i disable protocol scanning on ESET. And also, on computer without ESET i can log into web site without problem from Firefox.
But thank you very much on assistance, i will test once more to see what can be the problem.