Jump to content
offbyone

Firefox + ESET SSL Filter CA

Recommended Posts

Hello.

We have a problem with ESET SSL filtering and Firefox.

I have an assumption what may be wrong but as I don't know how exactly this function is implemented maybe someone could confirm if my assumptions are right and maybe suggests a workaround.

If a user logs in on another PC, ESET SSL filtering is broken within FF, and you get the following error message when browsing https websites.

SC.PNG.2d05fc2dbfff9578f1a621f3133549a8.PNG

From what I understand the ESET client generates an individual CA cert including the private key and then adds it to the certificate store of Windows and also Firefox. As the cert store of Firefox is part of its profile and as such also parts of the OS roaming profile this certificate is also roamed when the user logs in on another PC. In this case the certificate seems to be present within Firefox, but as that cert is individually created on every PC, the cert which Firefox uses and the one ESET uses for encryption are not the same.

What do you think?

Thanks and Cheers

Share this post


Link to post
Share on other sites

An ESET root certificate is added to the Trusted root CA certificate store if SSL filtering is enabled.

Please open certmgr.msc, expand "Trusted root CA" -> Certificates and make sure that an "ESET SSL Filter CA" root certificate is listed there. If so, close all applications, disable SSL filtering in the ESET advanced setup and click OK. Make sure that the root certificate is no longer present in the TRCA certificate store. Then re-enable SSL filtering and check if the issue has been resolved.

Share this post


Link to post
Share on other sites
Posted (edited)
9 minutes ago, offbyone said:

From what I understand the ESET client generates an individual CA cert including the private key and then adds it to the certificate store of Windows and also Firefox.

Not on the lastest Eset versions.

Also, latest FireFox versions defer to WIn root CA certificate store if AV vendor cert. is not present in FireFox Authorities cert. store.

When Eset is installed, the certificate it creates in WIn root CA certificate store has a unique private key.

Edited by itman

Share this post


Link to post
Share on other sites

@Marcos:

I have done what you suggested.

  • ESET CA was present as trusted root in Windows
  • ESET CA was present as trusted root in FF
  • After disabling SSL filtering ESET CA vanished.
  • After enabling SSL filtering ESET CA was present again as trusted root in windows
  • After enabling SSL filtering ESET CA was not present as trusted root in FF
  • Browsing https with IE works as before where sites are encrypted by ESET CA
  • Browsing https with FF now also works but sites are not encrypted by ESET CA

So it now works but without SSL interception in FF

Share this post


Link to post
Share on other sites

 @itman

Quote

Not on the lastest Eset versions.

We use latest ESET version and found ESET CA to be present in FF cert store.

However after removing it is not re-added to FF cert store.

Is this expected behaviour?

Share this post


Link to post
Share on other sites
17 minutes ago, offbyone said:

Browsing https with FF now also works but sites are not encrypted by ESET CA

What is your basis for this? The fact that FireFox no longer shows the lock symbol on HTTPS web sites? This was eliminated the later versions of FireFox. If you want it back, you will have to perform a config modification.

Share this post


Link to post
Share on other sites
3 minutes ago, offbyone said:

 @itman

We use latest ESET version and found ESET CA to be present in FF cert store.

However after removing it is not re-added to FF cert store.

Is this expected behaviour?

Yes.

Share this post


Link to post
Share on other sites
Quote

What is your basis for this?

Browsing a https site in IE and inspecting the site cert shows that it was signed by ESET CA.

Browsing the same https site in FF and inspecting the site cert shows that it was not signed by ESET CA

Cheers.

Share this post


Link to post
Share on other sites

Does this file exist? "C:\Program Files\Mozilla Firefox\defaults\pref\eset_security_config_overlay.js"

Share this post


Link to post
Share on other sites
Posted (edited)

Ok thing getting clearer now.

In this file you enable FF to use Windows cert store but we set

      "Certificates" : 
      {
         "ImportEnterpriseRoots" : false,
         "#Comment" : "Don't use OS certificate store"
      }

in policy file to disable cert store of Windows. Maybe this is conflicting.

Any idea why ESET CA was also present in FF cert store before?

We are still using the initial version and did not upgrade ESET so far.

Edited by offbyone

Share this post


Link to post
Share on other sites

It was changed a few months ago; since then we do not import the root certificate to the Mozilla's certificate store but configure Firefox to use the system TRCA certificate store instead. You can disable the option for importing the root certificate automatically and import it manually to the Mozilla's CA certificate store.

What version do you mean by the initial version? Endpoint 7.3.2039 is the latest and you should upgrade to it especially if:
- you use Windows 10
- you have Endpoint 6.6 or newer installed but not the latest v7.3.

Share this post


Link to post
Share on other sites
25 minutes ago, offbyone said:

in policy file to disable cert store of Windows. Maybe this is conflicting.

Yes, it is conflicting:

Quote

Starting with Firefox version 68, when a TLS connection error occurs Firefox will automatically enable the Enterprise Roots preference and attempts to connect again. If the issue is resolved, then the Enterprise Roots preference remains enabled. However, you may want to disable this behavior, so this article explains how to do just that without compromising security.

https://support.mozilla.org/en-US/kb/how-disable-enterprise-roots-preference

27 minutes ago, offbyone said:

Any idea why ESET CA was also present in FF cert store before?

Because prior to ver. 68, Enterprise Roots preference by default was not to refer to it.

Share this post


Link to post
Share on other sites
Quote

What version do you mean by the initial version?

I wanted to say that we started with 7.3.2036.0 and are still on that version. So I wonder why the ESET CA is present in FF store. When we started with ESET we were on FF ESR 68.06. and are now on FF ESR 68.10.

Cheers.

Share this post


Link to post
Share on other sites

Changing FF policy to

      "Certificates" : 
      {
         "ImportEnterpriseRoots" : true,
         "#Comment" : "Don't use OS certificate store"
      }

seems to solve the problem.

Share this post


Link to post
Share on other sites
1 hour ago, offbyone said:

Changing FF policy to


      "Certificates" : 
      {
         "ImportEnterpriseRoots" : true,
         "#Comment" : "Don't use OS certificate store"
      }

seems to solve the problem.

Appears FireFox ESR ver. 68+ default behavior is different than the retail ver..

On the retail 68+ ver., first successful attempt using Win root CA store will permanently set EnterpriseRoots to true value.

Share this post


Link to post
Share on other sites
On 8/10/2020 at 10:24 PM, Marcos said:

Does this file exist? "C:\Program Files\Mozilla Firefox\defaults\pref\eset_security_config_overlay.js"

in my case it does exist and these are its contents. pref("security.enterprise_roots.enabled", true, locked);
this means that FF will read and use the certificates of the windows cert store (and perhaps its own from Mozilla as well)?

 

 

On 8/10/2020 at 10:59 PM, Marcos said:

It was changed a few months ago; since then we do not import the root certificate to the Mozilla's certificate store but configure Firefox to use the system TRCA certificate store instead.....

so that's why i cant find the eset cert in the FF certificate store settings panel?

eset no longer imports it there but FF will still use it as necessary by "seeing" the windows cert store.

 

@Marcos am i understanding all these right?

 

 

Share this post


Link to post
Share on other sites
1 hour ago, shocked said:

@Marcos am i understanding all these right?

Yes, that's correct. We set security.enterprise_roots.enabled to true and import the root certificate to the system trusted root CA certificate store. However, it could be that under certain circumstances we still import it also the the Mozilla's TRCA certificate store, e.g. when an older version of Firefox is used but I can't confirm nor deny it at the moment.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

However, it could be that under certain circumstances we still import it also the the Mozilla's TRCA certificate store, e.g. when an older version of Firefox is used but I can't confirm nor deny it at the moment.

When this topic first came up in regards to FF using Win root CA cert. store and Eset no longer adding its root CA cert. to FF's Authorities cert. store, I purposely deleted Eset's cert. from FF's Authorities cert. store.

I just rechecked FF's Authorities cert. store and the Eset root cert. is now there. So it does appear that Eset upon version update is still adding its root cert. to FF's Authorities cert. store on non-Enterprise FF versions. Also, FF preferences does show security.enterprise_roots.enabled", true, locked

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...