OpenVAS web login gives me eset SSL_ERROR_BAD_CERT_ALERT

[virtualpaul 1]

Hi,

I am trying the openVAS tryout in a virtual machine as they suggested on their site.

But eset and firefox is preventing me from accessing it.  I am getting:

   Secure Connection Failed

   An error occurred during a connection to "IP address" SSL peer cannot verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT

I think the virtual machine is a linux and it uses a self-signed SSL certificate.

Is there a way to add an exception in eset for a web site that I trust?

[Marcos 5,074]

In the advanced setup ->  Web and email -> Protocol filtering, you can exclude applications or IP addressed from protocol filtering.

[virtualpaul 1]

Hi,

I am trying what you suggested but:

1- I could not find your option 'Protocol filtering'.

2- I could only find 'advanced setup -> web and email -> web access protection -> url address management' that has an address list that I can edit.

I added the IP address in the 'list of allowed addresses' and clicked ok to confirm.

But that does not help.  I am still getting the same error message.

[itman 1,659]

An alternative approach is to exclude the certificate associated with domain(URL) from SSL protocol scanning.

The below screen shot shows how to do so. Best way to add the certificate for exclusion is to set SSL protocol filtering mode to Interactive. Then access the HTTPS web site. Eset will ask you to block or allow the certificate associated with the web site - select "allow" for access action. Then, additionally select "ignore" for scan action. Finally, reset SSL protocol filtering mode to Automatic.

 

Edited June 16, 2018 by itman

[virtualpaul 1]

Thanks for your help.

I tried both your suggestions.

1- When I "set SSL protocol filtering mode to Interactive", I cannot even access this forum. I am getting that same error SSL_ERROR_BAD_CERT_ALERT.

2- So I tried adding the ip address in the 'list of known certificates' but it does not seem to help when I "set SSL protocol filtering mode to Interactive".  Eset does not ask me anything even though the option is set to 'interactive' and the certificate was added in the list with 'Auto'. 

So I have put it back to 'automatic' and changed the access to 'Allow' and 'Ignore' and it seems to have worked through Firefox adding the exception for that address.

Edited June 16, 2018 by virtualpaul

[itman 1,659]

1 hour ago, virtualpaul said:

So I have put it back to 'automatic' and changed the access to 'Allow' and 'Ignore' and it seems to have worked through Firefox adding the exception for that address.

Post a screen shot of what is currently shown in "List of know certificates."

[virtualpaul 1]

Here it is:

[itman 1,659]

Just that you're aware of this, any localhost HTTPS connection; i.e. 127.0.0.0 - 127.255.255.255, using this certificate will not be scanned for malware via Eset's SSL protocol scanning feature.

[virtualpaul 1]

I used the eset menus to enter a specific IP address (192.168....) but it saved 'localhost' so I am not sure what I can do.

I don't like this at all but is there another option?

Edited June 16, 2018 by virtualpaul

[itman 1,659]

33 minutes ago, virtualpaul said:

I don't like this at all but is there another option?

If this certificate is related to a specific internal IP address as you posted, you can try to exclude SSL protocol scanning for that IP address as shown by the below screen shot. Add the IP address to the Excluded IP addresses section. Before doing this, you will have to first delete the existing List of known certificates entry.

Then test to see if this solves you problem.

-EDIT- Note this disables all of Eset's web filtering protection for this IP address.

Edited June 16, 2018 by itman

[virtualpaul 1]

So it would seem that either way I am opening some security holes.  I am not sure which one is worse.

Is there a way to just accept that self-signed SSL certificate without opening new security holes?

[itman 1,659]

You could try to use the "File" option to add the certificate to the List of know certificates as shown by the below screen shot. First of course your would have to export the cert. using certmgr.msc option.

I have never used this option. "My gut" tells me you will end up with an entry identical to the existing one. That is Name and Issuer will be set to "Localhost." So what you have presently might be your best option. Also Eset doesn't explain what "Localhost" means in this context. It might just mean ignore scanning any HTTPS communication that uses this certificate which I believe is what you want.