SSL certificate authority issue (Firefox or ESET's issues or both?)

[itman 1,659]

Why three certificate postings? There should only be one Eset certificate in the Trusted Root Certification Authorities folder. Also why is the last certificate shown with a valid from date of today? Did you reinstall Eset on the device today?

Edited May 11, 2019 by itman

[itman 1,659]

I'm logging off for the night. Will continue this tomorrow.

[cmit 2]

2 hours ago, itman said:

Why three certificate postings? There should only be one Eset certificate in the Trusted Root Certification Authorities folder. Also why is the last certificate shown with a valid from date of today? Did you reinstall Eset on the device today? 

for three testing computers.
Don't know why the date valid from date of today. Did not reinstall ESET.

[itman 1,659]

In IE11 and for the Eset forum web site, click on the lock symbol on the IE11 toolbar. Does it state Eset SSL Filter CA for Website Identification?

Likewise, go https://badssl.com/dashboard/ and do the same and verify Eset SSL Filter CA is also shown.

Also for both these sites, verify that the web site certificate chains to the Eset SSL Filter CA certificate:

-EDIT- Additionally for both web sites, verify that the thumbprint for the Eset SSL Filter CA chained root certificate matches the thumbprint for the corresponding Eset SSL Filter CA certificate stored in the Windows Trusted Root Certification Authorities folder:

Edited May 12, 2019 by itman

[itman 1,659]

If "you're following my drift" in the previous posting, it's starting to appear to me that some type of man-in-the-middle activity is occurring for your Internet connections. It is the only explaination I can think of for the Eset non-alert status when accessing the https://badssl.com/dashboard/ web site.

Edited May 13, 2019 by itman

[cmit 2]

On 5/12/2019 at 5:49 AM, itman said:

In IE11 and for the Eset forum web site, click on the lock symbol on the IE11 toolbar. Does it state Eset SSL Filter CA for Website Identification?

Likewise, go https://badssl.com/dashboard/ and do the same and verify Eset SSL Filter CA is also shown.

Also for both these sites, verify that the web site certificate chains to the Eset SSL Filter CA certificate:

-EDIT- Additionally for both web sites, verify that the thumbprint for the Eset SSL Filter CA chained root certificate matches the thumbprint for the corresponding Eset SSL Filter CA certificate stored in the Windows Trusted Root Certification Authorities folder:

 

Both the ESET forum and the badssl.com/dashboard websites state ESET SSL Filter CA on all three tested computers
but two of three tested computers' IE's ESET SSL Filter CA's thumbprint do not match the ESET SSL Filter CA in the certmgr.msc's Windows Trusted Root Certification Authorities folder.

What does this mean? How is this related to the issues we are having?

All certificates are valid (not expired).
Every time there's newer version of ESET EndPoint AntiVirus released, we trigger update from ESMC. Would this be the cause of some thumbprint not matched?

 

I need at least two people from ESET to comment on the issues I'm having.
@Marcos @MichalJ

[cmit 2]

On 5/12/2019 at 1:21 PM, itman said:

If "you're following my drift" in the previous posting, it's starting to appear to me that some type of man-in-the-middle activity is occurring for your Internet connections. It is the only explaination I can think of for the Eset non-alert status when accessing the https://badssl.com/dashboard/ web site.

@itman Could you give example of the man-in-the-middle activity on our Internet connections?
Do you mean could be related to our ESMC setup, our domain controller policies, or from possible external threat activities?

I am still waiting for @Marcos or someone else from ESET to explain why you and I both have the badssl.com result (ESET non-alert status) instead of ESET's alert.

[itman 1,659]

1 hour ago, cmit said:

I am still waiting for @Marcos or someone else from ESET to explain why you and I both have the badssl.com result (ESET non-alert status) instead of ESET's alert.

To begin with, I am having no issues in regards to the badssl.com web site test using either IE11 or Firefox. My test results are identical to those previously posted by @Marcos; initially a red popup Eset alert is displayed about a revoked certificate and thereafter,  a yellow untrusted certificate popup alert for each badssl.com test performed. 

Edited May 14, 2019 by itman

[itman 1,659]

1 hour ago, cmit said:

Both the ESET forum and the badssl.com/dashboard websites state ESET SSL Filter CA on all three tested computers
but two of three tested computers' IE's ESET SSL Filter CA's thumbprint do not match the ESET SSL Filter CA in the certmgr.msc's Windows Trusted Root Certification Authorities folder.

What does this mean? How is this related to the issues we are having?

All certificates are valid (not expired).
Every time there's newer version of ESET EndPoint AntiVirus released, we trigger update from ESMC. Would this be the cause of some thumbprint not matched?

Do this:

1. Navigate to IE11's Tools option.

2. Open Internet options.

3, Click on Content tab. Click on Clear SSL slate. When the popup message appears that SSL slate has been cleared, click on OK for that popup. Close IE11.

The above forces IE11 to repopulate its SSL cache with current certificates from all Windows CA stores sources. Reopen IE11 and perform the badssl.com test again reverifying that the web site's Eset root certificate matches the thumbprint in the Windows root CA certificate store.

Eset's updates via ESMC should not have any bearing on replacement of Eset's root certificate in the endpoint's Windows root CA certificate store; at least it doesn't for EIS. My Eset root certificate dates back to my last full install of EIS ver. 12. 

[cmit 2]

23 minutes ago, itman said:

To begin with, I am having no issues in regards to the badssl.com web site test using either IE11 or Firefox. My test results are identical to those previously posted by @Marcos; initially a red popup Eset alert is displayed about a revoked certificate and thereafter,  a yellow untrusted certificate popup alert for each badssl.com test performed. 

this is the opposite from what you mentioned before:

[cmit 2]

9 minutes ago, itman said:

Do this:

1. Navigate to IE11's Tools option.

2. Open Internet options.

3, Click on Content tab. Click on Clear SSL slate. When the popup message appears that SSL slate has been cleared, click on OK for that popup. Close IE11.

The above forces IE11 to repopulate its SSL cache with current certificates from all Windows CA stores sources. Reopen IE11 and perform the badssl.com test again reverifying that the web site's Eset root certificate matches the thumbprint in the Windows root CA certificate store.

Eset's updates via ESMC should not have any bearing on replacement of Eset's root certificate in the endpoint's Windows root CA certificate store; at least it doesn't for EIS. My Eset root certificate dates back to my last full install of EIS ver. 12. 

how is your IE11 verification procedure on ESET SSL certificate related to the issues I have been talking about since all ESET certificates are valid (not expired)?

[itman 1,659]

1 minute ago, cmit said:

this is the opposite from what you mentioned before

You misinterpreted the statement. What I stated was the only test I failed was the SHA-1 test when Eset SSL protocol scanning was enabled.

[itman 1,659]

6 minutes ago, cmit said:

how is your IE11 verification procedure on ESET SSL certificate related to the issues I have been talking about since all ESET certificates are valid (not expired)?

The issue is to verify that no man-in-the-middle activity is occurring. Again when you perform the badsll.com test, you should be receiving multiple Eset alerts which are not occurring from any browser you test with.

BTW - you do have Eset SSL Protocol scanning enabled on all test endpoint devices?

Edited May 14, 2019 by itman

[itman 1,659]

There is another possibility in regards to your Eset installations.

Reviewing again your posted badssl.com test results, it appears the connections were actually blocked. So the real issue is why you're not receiving any Eset alerts? In the List of SSL/TLS filtered applications section of the Eset GUI are all your browsers set to "Auto?"

[itman 1,659]

Refer to the below screen shot. Is the noted option set to "Ask ……….?" I believe if that is set to block, Eset will just block the activity and you will not receive any alerts on the activity:

 

 

[cmit 2]

5 minutes ago, itman said:

Refer to the below screen shot. Is the noted option set to "Ask ……….?" I believe if that is set to block, Eset will just block the activity and you will not receive any alerts on the activity:

 

 

16 minutes ago, itman said:

There is another possibility in regards to your Eset installations.

Reviewing again your posted badssl.com test results, it appears the connections were actually blocked. So the real issue is why you're not receiving any Eset alerts? In the List of SSL/TLS filtered applications section of the Eset GUI are all your browsers set to "Auto?"

 

Screenshot below my setting should answer your question.

 

Our "Display alerts" and "Display notifications on desktop" is set to disabled. Is this the reason we didn't get that red and yellow alert? Some of our computer's Firefox do display the yellow untrusted alert within the browser (not the ESET popup) though. Some of our staff freak out when seeing popup from antivirus program.

Edited May 14, 2019 by cmit

[cmit 2]

@Marcos may i please also have other comments from people from ESET. It's not fair just @itman looking into this helping a lot.

[itman 1,659]

4 minutes ago, cmit said:

Our "Display alerts" and "Display notifications on desktop" is set to disabled. Is this the reason we didn't get that red and yellow alert?

I would say that is the answer we have been looking for. So we can "bury" that issue from discussion.

[cmit 2]

28 minutes ago, itman said:

I would say that is the answer we have been looking for. So we can "bury" that issue from discussion.

@itman this is not the 100% answer you have been looking for because it is only the popup notification disabled but the Firefox itself the first time did show the yellow untrusted alert that shows the option to accept and continue for users' Firefox but not all.

thanks but the people from ESET still do not have any answer to my original question (my first two posts) why we had to delete the ESET certificate from Firefox's Certificate Manager -> restart computer for every user of the same computer in order to have an option to "accept and continue" or be able to just able to view websites right away?

This is getting more confusing is the issue from ESET, from Firefox, or from both, or simply our own ESET policy setting?
From other threads other people have posted on ESET Forum, i don't think we are the only ESET customer having this inconvenient issue.

 

Edited May 14, 2019 by cmit

[itman 1,659]

On a device that FireFox displays the "Secure Connection failed" message, open up FireFox's Authorities CA store and verify that Eset's certificate setting for "This certificate can identify websites" is enabled as shown in the below screen shot:

 

[cmit 2]

13 minutes ago, itman said:

On a device that FireFox displays the "Secure Connection failed" message, open up FireFox's Authorities CA store and verify that Eset's certificate setting for "This certificate can identify websites" is enabled as shown in the below screen shot:

 

 

My screenshot below, it is already enabled when I verified.

[itman 1,659]

What we really need to know for sure at this point, is what certificate FireFox is triggering the "Secure Connection failed" message on.

Click on the FireFox lock symbol and from there you can extract info on both the web site cert. and what it is chained to. Note this is shown in a single display screen versus how IE11 graphically shows the chaining path.

Edited May 14, 2019 by itman

[itman 1,659]

Also, Firefox doesn't store the Win root CA store certificate thumbprint like IE11. As far as matching what stored in FireFox in regards to Eset's Authorities certificate, Subject Key Identifier is probably the best match: 

Edited May 14, 2019 by itman

[cmit 2]

@itman thanks a lot for your help but this is still going nowhere.

People from ESET still do not have a proper solution nor willing to have an explanation about this.
I'm definitely not the only ESET customer having this issue.

This suggested temp solution probably should not be posted if it's not recommended to disable the SSL protocol scanning.
(Re-enabling the SSL/TLS rotocol filtering or re-enabling the 'add the root certificate to known browsers did not resolve the issue for all ESET cusotmers)
https://support.eset.com/kb3126/?locale=en_US&viewlocale=en_US

At this point I'm still not 100% sure if this is totally ESET's issue or the web browsers themselves.
(I don't believe it's all ESET's issues)
Thanks to the people from ESET (who are supposed to be responsible for responding) for not able to at least try to explain nor break down this type of issue that's been going on for years.

 

https://stackoverflow.com/questions/36309562/err-bad-ssl-client-auth-cert

https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/i-get-error-message-errbadsslclientauthcert-while/fd1cabfe-1778-42a9-8fc1-ab2dd02b6db4?page=2

[itman 1,659]

 Here's a Sophos posting where the OP was having SSL protocol scanning issues in an AD environment: https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/47035/certificate-warning-with-https-set-to-url-filtering-only#pi2353=1 . Since I am not knowledgeable when it comes to AD usage, what I gleaned from the postings was the issue had something to do with option to use AD certificates versus client certs. on Internet traffic.

What is needed here is someone using EES in an AD environment to "chime in" here.