Jump to content

Cisco Umbrella Secondary SubCA fra-AG is unsecure SSL Cert

FadeMind
 Share

Recommended Posts

FadeMind

FadeMind 2

Posted
Posted

Hi, Why All certs from Cisco Umbrella Secondary SubCA fra-AG are unsecure and during browsing websites I had prompt about unsecure cert SSL?
Regards.
In My Network I using OpenDNS DNS. 

20180630-001-screenshot.png

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Appears there is an issue with the certificate that OpenDNS is using.

Post a screen shot of the Eset alert with the certificate data shown. My guess is the certificate expired.

Edited by itman
Link to comment
Share on other sites
FadeMind

FadeMind 2

Posted
  • Author
Posted (edited)
4 hours ago, itman said:

My guess is the certificate expired

Nope:

 

20180630-004-screenshot.png

My SETUP
ESET Internet Security Lastest Stable (11.154.0)
Adguard For Windows 6.3.1276.3827
Chrome Stable
OpenDNS IPv4 DNS used in Network.
Windows 10 Pro 1803 (17134.137)

Issue
Some blocked by Adguard domains signed by opendns cert (valid) are blocked by ESET.
This issue happened only with OpenDNS provider. Should I feedback to Cisco with it?

Regards

 

Edited by FadeMind
Link to comment
Share on other sites
FadeMind

FadeMind 2

Posted
  • Author
Posted (edited)
3 minutes ago, Marcos said:

Also check your system date and make sure it's correct.

¯\_(ツ)\_/¯

20180630-006-screenshot.png

Edited by FadeMind
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

I see a number of issues here.

First, Adguard has a SSL protocol scanning feature. Next, it appears OpenDNS is performing like activities in that it is intercepting HTTPS web traffic with Its corresponding root CA certificate. Finally, there is Eset that has SSL protocol scanning enabled by default.

Below is an actual screen shot of the correct, non-intercepted, SSL certificate chain path for counter.hitslink.com per Quals SSL Server test web site:

Eset_Path.thumb.png.9220845f27618fe89c738f6dab38f4b3.png

Given the use of both OpenDNS and Adguard to perform HTTPS network traffic interception, I really can't see how Eset's SSL protocol scanning would function properly. If both use of OpenDNS and Adguard SSL protocol scanning is required, I would disable Eset's SSL protocol scanning.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

I did some research on this since I am sure this issue will arise again in regards to OpenDNS. Per a post I found on reddit.com:

Quote

Hey guys, OpenDNS doesn't "scan" HTTPS. The cert is just so that your browser will trust their self-signed cert for that domain that is being intercepted by their block page.

What is happening is the Cisco Umbra cert. OpenDNS is using is a self-signed root CA cert.. Eset's SSL protocol scanning detects use activity of the cert. as man-in-the-middle activity and blocks it.

Did you install the Cisco Umbra root CA cert. as described in this link? https://support.opendns.com/hc/en-us/articles/227987007

 

Link to comment
Share on other sites
FadeMind

FadeMind 2

Posted
  • Author
Posted

Hi, thanks you guys for great feedback. 
I installed cert for Cisco Umbrella CA, restart chrome and seems works fine. No more these warning from ESET. 

Regards

20180701-003-screenshot.png

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...