FadeMind 2 Posted June 30, 2018 Share Posted June 30, 2018 Hi, Why All certs from Cisco Umbrella Secondary SubCA fra-AG are unsecure and during browsing websites I had prompt about unsecure cert SSL? Regards. In My Network I using OpenDNS DNS. Link to comment Share on other sites More sharing options...
itman 1,743 Posted June 30, 2018 Share Posted June 30, 2018 (edited) Appears there is an issue with the certificate that OpenDNS is using. Post a screen shot of the Eset alert with the certificate data shown. My guess is the certificate expired. Edited June 30, 2018 by itman Link to comment Share on other sites More sharing options...
FadeMind 2 Posted June 30, 2018 Author Share Posted June 30, 2018 (edited) 4 hours ago, itman said: My guess is the certificate expired Nope: My SETUP ESET Internet Security Lastest Stable (11.154.0) Adguard For Windows 6.3.1276.3827 Chrome Stable OpenDNS IPv4 DNS used in Network. Windows 10 Pro 1803 (17134.137) Issue Some blocked by Adguard domains signed by opendns cert (valid) are blocked by ESET. This issue happened only with OpenDNS provider. Should I feedback to Cisco with it? Regards Edited June 30, 2018 by FadeMind Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted June 30, 2018 Administrators Share Posted June 30, 2018 Also check your system date and make sure it's correct. Link to comment Share on other sites More sharing options...
FadeMind 2 Posted June 30, 2018 Author Share Posted June 30, 2018 (edited) 3 minutes ago, Marcos said: Also check your system date and make sure it's correct. ¯\_(ツ)\_/¯ Edited June 30, 2018 by FadeMind Link to comment Share on other sites More sharing options...
Administrators Marcos 5,241 Posted June 30, 2018 Administrators Share Posted June 30, 2018 Please post a screen shot of the "Certification path" tab. Link to comment Share on other sites More sharing options...
FadeMind 2 Posted June 30, 2018 Author Share Posted June 30, 2018 11 minutes ago, Marcos said: Please post a screen shot of the "Certification path" tab. Link to comment Share on other sites More sharing options...
Daedalus 16 Posted June 30, 2018 Share Posted June 30, 2018 See this: https://support.opendns.com/hc/en-us/articles/227987007 Link to comment Share on other sites More sharing options...
itman 1,743 Posted June 30, 2018 Share Posted June 30, 2018 (edited) I see a number of issues here. First, Adguard has a SSL protocol scanning feature. Next, it appears OpenDNS is performing like activities in that it is intercepting HTTPS web traffic with Its corresponding root CA certificate. Finally, there is Eset that has SSL protocol scanning enabled by default. Below is an actual screen shot of the correct, non-intercepted, SSL certificate chain path for counter.hitslink.com per Quals SSL Server test web site: Given the use of both OpenDNS and Adguard to perform HTTPS network traffic interception, I really can't see how Eset's SSL protocol scanning would function properly. If both use of OpenDNS and Adguard SSL protocol scanning is required, I would disable Eset's SSL protocol scanning. Edited June 30, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,743 Posted July 1, 2018 Share Posted July 1, 2018 I did some research on this since I am sure this issue will arise again in regards to OpenDNS. Per a post I found on reddit.com: Quote Hey guys, OpenDNS doesn't "scan" HTTPS. The cert is just so that your browser will trust their self-signed cert for that domain that is being intercepted by their block page. What is happening is the Cisco Umbra cert. OpenDNS is using is a self-signed root CA cert.. Eset's SSL protocol scanning detects use activity of the cert. as man-in-the-middle activity and blocks it. Did you install the Cisco Umbra root CA cert. as described in this link? https://support.opendns.com/hc/en-us/articles/227987007 Link to comment Share on other sites More sharing options...
FadeMind 2 Posted July 1, 2018 Author Share Posted July 1, 2018 Hi, thanks you guys for great feedback. I installed cert for Cisco Umbrella CA, restart chrome and seems works fine. No more these warning from ESET. Regards Link to comment Share on other sites More sharing options...
Recommended Posts