Jump to content

Archived

This topic is now archived and is closed to further replies.

FadeMind

Cisco Umbrella Secondary SubCA fra-AG is unsecure SSL Cert

Recommended Posts

Hi, Why All certs from Cisco Umbrella Secondary SubCA fra-AG are unsecure and during browsing websites I had prompt about unsecure cert SSL?
Regards.
In My Network I using OpenDNS DNS. 

20180630-001-screenshot.png

Share this post


Link to post
Share on other sites

Appears there is an issue with the certificate that OpenDNS is using.

Post a screen shot of the Eset alert with the certificate data shown. My guess is the certificate expired.

Share this post


Link to post
Share on other sites
4 hours ago, itman said:

My guess is the certificate expired

Nope:

 

20180630-004-screenshot.png

My SETUP
ESET Internet Security Lastest Stable (11.154.0)
Adguard For Windows 6.3.1276.3827
Chrome Stable
OpenDNS IPv4 DNS used in Network.
Windows 10 Pro 1803 (17134.137)

Issue
Some blocked by Adguard domains signed by opendns cert (valid) are blocked by ESET.
This issue happened only with OpenDNS provider. Should I feedback to Cisco with it?

Regards

 

Share this post


Link to post
Share on other sites

Also check your system date and make sure it's correct.

Share this post


Link to post
Share on other sites
3 minutes ago, Marcos said:

Also check your system date and make sure it's correct.

¯\_(ツ)\_/¯

20180630-006-screenshot.png

Share this post


Link to post
Share on other sites

Please post a screen shot of the "Certification path" tab.

Share this post


Link to post
Share on other sites
11 minutes ago, Marcos said:

Please post a screen shot of the "Certification path" tab.

 

20180630-008-screenshot.png

Share this post


Link to post
Share on other sites

I see a number of issues here.

First, Adguard has a SSL protocol scanning feature. Next, it appears OpenDNS is performing like activities in that it is intercepting HTTPS web traffic with Its corresponding root CA certificate. Finally, there is Eset that has SSL protocol scanning enabled by default.

Below is an actual screen shot of the correct, non-intercepted, SSL certificate chain path for counter.hitslink.com per Quals SSL Server test web site:

Eset_Path.thumb.png.9220845f27618fe89c738f6dab38f4b3.png

Given the use of both OpenDNS and Adguard to perform HTTPS network traffic interception, I really can't see how Eset's SSL protocol scanning would function properly. If both use of OpenDNS and Adguard SSL protocol scanning is required, I would disable Eset's SSL protocol scanning.

Share this post


Link to post
Share on other sites

I did some research on this since I am sure this issue will arise again in regards to OpenDNS. Per a post I found on reddit.com:

Quote

Hey guys, OpenDNS doesn't "scan" HTTPS. The cert is just so that your browser will trust their self-signed cert for that domain that is being intercepted by their block page.

What is happening is the Cisco Umbra cert. OpenDNS is using is a self-signed root CA cert.. Eset's SSL protocol scanning detects use activity of the cert. as man-in-the-middle activity and blocks it.

Did you install the Cisco Umbra root CA cert. as described in this link? https://support.opendns.com/hc/en-us/articles/227987007

 

Share this post


Link to post
Share on other sites

Hi, thanks you guys for great feedback. 
I installed cert for Cisco Umbrella CA, restart chrome and seems works fine. No more these warning from ESET. 

Regards

20180701-003-screenshot.png

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...