Jump to content

Cisco Umbrella Secondary SubCA fra-AG is unsecure SSL Cert


Recommended Posts

Hi, Why All certs from Cisco Umbrella Secondary SubCA fra-AG are unsecure and during browsing websites I had prompt about unsecure cert SSL?
Regards.
In My Network I using OpenDNS DNS. 

20180630-001-screenshot.png

Link to post
Share on other sites

Appears there is an issue with the certificate that OpenDNS is using.

Post a screen shot of the Eset alert with the certificate data shown. My guess is the certificate expired.

Link to post
Share on other sites
4 hours ago, itman said:

My guess is the certificate expired

Nope:

 

20180630-004-screenshot.png

My SETUP
ESET Internet Security Lastest Stable (11.154.0)
Adguard For Windows 6.3.1276.3827
Chrome Stable
OpenDNS IPv4 DNS used in Network.
Windows 10 Pro 1803 (17134.137)

Issue
Some blocked by Adguard domains signed by opendns cert (valid) are blocked by ESET.
This issue happened only with OpenDNS provider. Should I feedback to Cisco with it?

Regards

 

Link to post
Share on other sites

I see a number of issues here.

First, Adguard has a SSL protocol scanning feature. Next, it appears OpenDNS is performing like activities in that it is intercepting HTTPS web traffic with Its corresponding root CA certificate. Finally, there is Eset that has SSL protocol scanning enabled by default.

Below is an actual screen shot of the correct, non-intercepted, SSL certificate chain path for counter.hitslink.com per Quals SSL Server test web site:

Eset_Path.thumb.png.9220845f27618fe89c738f6dab38f4b3.png

Given the use of both OpenDNS and Adguard to perform HTTPS network traffic interception, I really can't see how Eset's SSL protocol scanning would function properly. If both use of OpenDNS and Adguard SSL protocol scanning is required, I would disable Eset's SSL protocol scanning.

Link to post
Share on other sites

I did some research on this since I am sure this issue will arise again in regards to OpenDNS. Per a post I found on reddit.com:

Quote

Hey guys, OpenDNS doesn't "scan" HTTPS. The cert is just so that your browser will trust their self-signed cert for that domain that is being intercepted by their block page.

What is happening is the Cisco Umbra cert. OpenDNS is using is a self-signed root CA cert.. Eset's SSL protocol scanning detects use activity of the cert. as man-in-the-middle activity and blocks it.

Did you install the Cisco Umbra root CA cert. as described in this link? https://support.opendns.com/hc/en-us/articles/227987007

 

Link to post
Share on other sites

Hi, thanks you guys for great feedback. 
I installed cert for Cisco Umbrella CA, restart chrome and seems works fine. No more these warning from ESET. 

Regards

20180701-003-screenshot.png

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...