SSL inspection Strangeness

[noorigin 3]

So I got a site unblock request today from a user on one of our terminal servers. Easy enough. I add the site to the policy, Web and Email->Web access protection->URL Address management->Address List->List of allowed addresses. I put it in using  *.domain.com/* as well as sub.domain.com . Site is NOT unblocked. So I try several things, changing ssl inspection to ask about the cert trust and corruption, disabling SSL inspection, disabling all app protocol filtering, none of it works. Always comes back with ERR_BAD_SSL_CLIENT_AUTH_CERT. Oddly enough when I go to look at the cert, the chain is missing. It looks like a self signed does on the cert path tab of the certificate. If i go to details->copy to file when viewing the cert and copy it for import, I get the same thing, no chain. I know this is a valid cert and site because when I look at it from another PC with no ESET it works fine. Cert path shows the full chain. I have nothing else on these machines or in this network that would manipulate certificates, ESET is the only MITM/SSL inspection happening around here. Not sure which way to go. Please help

[Marcos 5,092]

Does it occur with any https website? If only with a particular site, what is the url?

[noorigin 3]

Marcos,

 

  Not with any site, just one in particular https://jaws.fljud13.org/ . Seems to happen with chrome and IE (all I've tested with).  

[itman 1,672]

16 hours ago, noorigin said:

Easy enough. I add the site to the policy, Web and Email->Web access protection->URL Address management->Address List->List of allowed addresses. I put it in using  *.domain.com/* as well as sub.domain.com . Site is NOT unblocked.

Did you verify that the "List of allowed addresses" is active? By default it is, but it might have been inadvertently disabled somehow.

[noorigin 3]

You mean like this?

 

 

or like this?

[noorigin 3]

Actually found it, yes its enabled 

Edited December 3, 2019 by noorigin
added image

[itman 1,672]

25 minutes ago, noorigin said:

Not with any site, just one in particular https://jaws.fljud13.org/ . Seems to happen with chrome and IE (all I've tested with).  

This is interesting. Eset doesn't filter that web site; at least when using default SSL protocol scanning options. Therefore this cert error, ERR_BAD_SSL_CLIENT_AUTH_CERT, is not being caused by Eset.

The cert chaining path for that web site uses all Comodo certificates.

[itman 1,672]

17 hours ago, noorigin said:

Oddly enough when I go to look at the cert, the chain is missing. It looks like a self signed does on the cert path tab of the certificate. If i go to details->copy to file when viewing the cert and copy it for import, I get the same thing, no chain. I know this is a valid cert and site because when I look at it from another PC with no ESET it works fine. Cert path shows the full chain. I have nothing else on these machines or in this network that would manipulate certificates, ESET is the only MITM/SSL inspection happening

Post a screen shot of the certificate from the terminal server for this web site. If it's not Eset's root CA cert. or a Comodo cert., it definitely appears that some type of MITM activity is occurring on that server.

Again, Eset does not perform SSL/TLS protocol filtering on that web site. This I verified using both FireFox and IE11.

[noorigin 3]

With ESET enabled

 

With Web protection disabled

 

And the cert info with ESET web filter disabled

And finally the cert info from an unaffected machine where the site loads fine, thumbprints match

 

Both machines these screenshots were taken from are on the same network.

 

 

[itman 1,672]

I ran a scan on the web site at Qualys. Here's the report: https://www.ssllabs.com/ssltest/analyze.html?d=jaws.fljud13.org . The site does have cert. chaining issues.

I also attempted to logon to that web site and had no issues. It returned an invalid logon message since I used bogus id and password data. Also based on your above screen shots, it appears the issue you are having occurs at site logon time? In other words, you can access the web site's home page?

Also Eset in the past had issues with SSL/TLS protocol scanning when additional certs. were provided in the chaining path as shown in the Qualys analysis. However, Eset is not performing SSL/TLS protocol scanning on this web site. As such, it is not performing any SSL/TLS validations as to cert. chaining as far as I am aware of. So at this point, I am at a loss as to what is going on at your installation.

One thing you could verify is if the Eset SSL/TLS protocol scanning option to "Exclude communications with trusted domains" is enabled on the server. If that option is disabled, Eset will scan every HTTPS web site.

Edited December 3, 2019 by itman

[noorigin 3]

Not at login, this is happening on the home page. Cannot access home page. Haven't even tried to login. 

The "Exclude communications with trusted domains" is enabled.  

Clearly something is going on with ESET. With Web and Email->protocol filtering enabled I just cannot get to the site at all. Nothing. With Web and Email->protocol filtering  disabled i can get the site to load, but with cert errors. From another machine with no ESET it all works. Is there a way to view the built in whitelist for trusted domains in ESET? If its a trusted domain that shouldnt be scanned, but clearly ESET is doing something with it, then maybe that domain is not in the whitelist on this machine? 

 

FYI, there are multiple machines affected it seems.

[Marcos 5,092]

The website is not scanned by ESET. Please provide ELC logs as well as the file c:\ProgramData\ESET\ESET Security\certCache.dat.

Disabling protocol filtering would make it equal to not having ESET installed at all with regard to http(s) communication.

[noorigin 3]

Marcos,

 

  What are the ESET Log Collector logs and how do I get them? Also, I dont see certcache.dat in that directory.

 

Edited December 3, 2019 by noorigin
after I hit submit "ESET Log Collector" turned into ESET Log Collector. Got it. Let me run it and post results

[itman 1,672]

20 minutes ago, noorigin said:

What are the ESET Log Collector logs

On the forum home page on the right hand side, click on this link "How do I use ESET Log Collector?"

As far as certCache.dat, it exists on my Eset installation:

[noorigin 3]

ESET Log Collector results

 

efsw_logs.zip

[itman 1,672]

I just noticed something based on your above screen shots.

If I enter jaws.fljud13.org in FireFox, I am actually directed to the non-HTTPS web site,  http://jaws.fljud13.org/ . 

Edited December 3, 2019 by itman

[noorigin 3]

Good catch, that works for me as well. More of a workaround but it works.

[itman 1,672]

Believe the missing certCache.dat file is the issue. Mine contains jaws.fljud13.org plus a bunch of gibberish characters. Strange that is the only entry in the file.

-EDIT- More strange is the file was created this morning at a time that corresponds to my first access to https://jaws.fljud13.org/

My gut is telling me this how Eset is now handling web sites that download root/intermediate certs. on the fly as this site does. It just uses this file to create an exception to SSL/TLS protocol scanning for the site.

Edited December 3, 2019 by itman

[noorigin 3]

Now that is strange. I wonder if it caches recent domains or something. So keep in mind this issue is affecting multiple machines, servers and desktops. One of my TS servers does not have that file. The other TS servers other do. Spot checking a few other servers and they are missing the file as well. All of the desktop clients (EES) that I have spot checked are missing it too.

[itman 1,672]

There also is a distinct possibility that there is a bug in Eset Web Server and it's not creating this cert. exception as done in its other products.

[itman 1,672]

4 minutes ago, noorigin said:

The other TS servers other do. Spot checking a few other servers and they are missing the file as well. All of the desktop clients (EES) that I have spot checked are missing it too.

My strong suspicion is the file is only created on the exception basis. Did you try to access https://jaws.fljud13.org/
on one of the EES client devices?

[noorigin 3]

I did try on 2 of the EES clients earlier today

[itman 1,672]

35 minutes ago, noorigin said:

I did try on 2 of the EES clients earlier today

That is indeed very strange and should not be happening. That is unless Eset never implemented the fix on the entire business product line.

Can the user live with HTTP only access to the web site or does he need to log in to the site? If he needs to log on, there is something else we can try as a workaround.

[noorigin 3]

Not sure what they need it for. Whats the workaround? 

[itman 1,672]

37 minutes ago, noorigin said:

Not sure what they need it for. Whats the workaround? 

Not 100% if this will work but it is worth a shot. It all depends if Eset checks for web site certificate exclusions first which I believe it does.

1. On a device where Eset is uninstalled or https://jaws.fljud13.org/  is accessible, export the web site cert.. Then copy it to whatever device/s were you wish the site to be accessible.

2. Open Eset's SSL/TLS settings. Then open "List of known certificates" section. Mouse click on the Add tab.

3. Mouse click on the "File" tab. Navigate to where ever you saved the certificate and then click on the OK tab.

At this point the web site's cert. should be imported into Eset.

4. Change the "Scan action" to "Ignore."

5. Click on the OK tab and every subsequent OK tab to save your settings.

Hopefully at this point, you should be able to access https://jaws.fljud13.org/  w/o issue.

If you still can't access the site, return to the "List of known certificates" section. This time mouse click on the added cert.. Then mouse click on the Edit tab. Change the "Access action" to "Allow." Click on the OK tab and every subsequent OK tab to save your settings.

Of course, the above will have to be repeated on every device Eset is installed on that wishes to access this web site.