offbyone 10 Posted August 10, 2020 Share Posted August 10, 2020 Hello. We have a problem with ESET SSL filtering and Firefox. I have an assumption what may be wrong but as I don't know how exactly this function is implemented maybe someone could confirm if my assumptions are right and maybe suggests a workaround. If a user logs in on another PC, ESET SSL filtering is broken within FF, and you get the following error message when browsing https websites. From what I understand the ESET client generates an individual CA cert including the private key and then adds it to the certificate store of Windows and also Firefox. As the cert store of Firefox is part of its profile and as such also parts of the OS roaming profile this certificate is also roamed when the user logs in on another PC. In this case the certificate seems to be present within Firefox, but as that cert is individually created on every PC, the cert which Firefox uses and the one ESET uses for encryption are not the same. What do you think? Thanks and Cheers Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 10, 2020 Administrators Share Posted August 10, 2020 An ESET root certificate is added to the Trusted root CA certificate store if SSL filtering is enabled. Please open certmgr.msc, expand "Trusted root CA" -> Certificates and make sure that an "ESET SSL Filter CA" root certificate is listed there. If so, close all applications, disable SSL filtering in the ESET advanced setup and click OK. Make sure that the root certificate is no longer present in the TRCA certificate store. Then re-enable SSL filtering and check if the issue has been resolved. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 10, 2020 Share Posted August 10, 2020 (edited) 9 minutes ago, offbyone said: From what I understand the ESET client generates an individual CA cert including the private key and then adds it to the certificate store of Windows and also Firefox. Not on the lastest Eset versions. Also, latest FireFox versions defer to WIn root CA certificate store if AV vendor cert. is not present in FireFox Authorities cert. store. When Eset is installed, the certificate it creates in WIn root CA certificate store has a unique private key. Edited August 10, 2020 by itman Link to comment Share on other sites More sharing options...
offbyone 10 Posted August 10, 2020 Author Share Posted August 10, 2020 @Marcos: I have done what you suggested. ESET CA was present as trusted root in Windows ESET CA was present as trusted root in FF After disabling SSL filtering ESET CA vanished. After enabling SSL filtering ESET CA was present again as trusted root in windows After enabling SSL filtering ESET CA was not present as trusted root in FF Browsing https with IE works as before where sites are encrypted by ESET CA Browsing https with FF now also works but sites are not encrypted by ESET CA So it now works but without SSL interception in FF Link to comment Share on other sites More sharing options...
offbyone 10 Posted August 10, 2020 Author Share Posted August 10, 2020 @itman Quote Not on the lastest Eset versions. We use latest ESET version and found ESET CA to be present in FF cert store. However after removing it is not re-added to FF cert store. Is this expected behaviour? Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 10, 2020 Share Posted August 10, 2020 17 minutes ago, offbyone said: Browsing https with FF now also works but sites are not encrypted by ESET CA What is your basis for this? The fact that FireFox no longer shows the lock symbol on HTTPS web sites? This was eliminated the later versions of FireFox. If you want it back, you will have to perform a config modification. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 10, 2020 Share Posted August 10, 2020 3 minutes ago, offbyone said: @itman We use latest ESET version and found ESET CA to be present in FF cert store. However after removing it is not re-added to FF cert store. Is this expected behaviour? Yes. Link to comment Share on other sites More sharing options...
offbyone 10 Posted August 10, 2020 Author Share Posted August 10, 2020 Quote What is your basis for this? Browsing a https site in IE and inspecting the site cert shows that it was signed by ESET CA. Browsing the same https site in FF and inspecting the site cert shows that it was not signed by ESET CA Cheers. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 10, 2020 Administrators Share Posted August 10, 2020 Does this file exist? "C:\Program Files\Mozilla Firefox\defaults\pref\eset_security_config_overlay.js" offbyone 1 Link to comment Share on other sites More sharing options...
offbyone 10 Posted August 10, 2020 Author Share Posted August 10, 2020 (edited) Ok thing getting clearer now. In this file you enable FF to use Windows cert store but we set "Certificates" : { "ImportEnterpriseRoots" : false, "#Comment" : "Don't use OS certificate store" } in policy file to disable cert store of Windows. Maybe this is conflicting. Any idea why ESET CA was also present in FF cert store before? We are still using the initial version and did not upgrade ESET so far. Edited August 10, 2020 by offbyone Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted August 10, 2020 Administrators Share Posted August 10, 2020 It was changed a few months ago; since then we do not import the root certificate to the Mozilla's certificate store but configure Firefox to use the system TRCA certificate store instead. You can disable the option for importing the root certificate automatically and import it manually to the Mozilla's CA certificate store. What version do you mean by the initial version? Endpoint 7.3.2039 is the latest and you should upgrade to it especially if: - you use Windows 10 - you have Endpoint 6.6 or newer installed but not the latest v7.3. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 10, 2020 Share Posted August 10, 2020 25 minutes ago, offbyone said: in policy file to disable cert store of Windows. Maybe this is conflicting. Yes, it is conflicting: Quote Starting with Firefox version 68, when a TLS connection error occurs Firefox will automatically enable the Enterprise Roots preference and attempts to connect again. If the issue is resolved, then the Enterprise Roots preference remains enabled. However, you may want to disable this behavior, so this article explains how to do just that without compromising security. https://support.mozilla.org/en-US/kb/how-disable-enterprise-roots-preference 27 minutes ago, offbyone said: Any idea why ESET CA was also present in FF cert store before? Because prior to ver. 68, Enterprise Roots preference by default was not to refer to it. offbyone 1 Link to comment Share on other sites More sharing options...
offbyone 10 Posted August 10, 2020 Author Share Posted August 10, 2020 Quote What version do you mean by the initial version? I wanted to say that we started with 7.3.2036.0 and are still on that version. So I wonder why the ESET CA is present in FF store. When we started with ESET we were on FF ESR 68.06. and are now on FF ESR 68.10. Cheers. Link to comment Share on other sites More sharing options...
offbyone 10 Posted August 10, 2020 Author Share Posted August 10, 2020 @itman THX for sharing the link to Mozilla website. Link to comment Share on other sites More sharing options...
offbyone 10 Posted August 13, 2020 Author Share Posted August 13, 2020 Changing FF policy to "Certificates" : { "ImportEnterpriseRoots" : true, "#Comment" : "Don't use OS certificate store" } seems to solve the problem. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 13, 2020 Share Posted August 13, 2020 1 hour ago, offbyone said: Changing FF policy to "Certificates" : { "ImportEnterpriseRoots" : true, "#Comment" : "Don't use OS certificate store" } seems to solve the problem. Appears FireFox ESR ver. 68+ default behavior is different than the retail ver.. On the retail 68+ ver., first successful attempt using Win root CA store will permanently set EnterpriseRoots to true value. Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted September 15, 2020 Most Valued Members Share Posted September 15, 2020 On 8/10/2020 at 10:24 PM, Marcos said: Does this file exist? "C:\Program Files\Mozilla Firefox\defaults\pref\eset_security_config_overlay.js" in my case it does exist and these are its contents. pref("security.enterprise_roots.enabled", true, locked); this means that FF will read and use the certificates of the windows cert store (and perhaps its own from Mozilla as well)? On 8/10/2020 at 10:59 PM, Marcos said: It was changed a few months ago; since then we do not import the root certificate to the Mozilla's certificate store but configure Firefox to use the system TRCA certificate store instead..... so that's why i cant find the eset cert in the FF certificate store settings panel? eset no longer imports it there but FF will still use it as necessary by "seeing" the windows cert store. @Marcos am i understanding all these right? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,693 Posted September 15, 2020 Administrators Share Posted September 15, 2020 1 hour ago, shocked said: @Marcos am i understanding all these right? Yes, that's correct. We set security.enterprise_roots.enabled to true and import the root certificate to the system trusted root CA certificate store. However, it could be that under certain circumstances we still import it also the the Mozilla's TRCA certificate store, e.g. when an older version of Firefox is used but I can't confirm nor deny it at the moment. shocked 1 Link to comment Share on other sites More sharing options...
itman 1,538 Posted September 15, 2020 Share Posted September 15, 2020 (edited) 2 hours ago, Marcos said: However, it could be that under certain circumstances we still import it also the the Mozilla's TRCA certificate store, e.g. when an older version of Firefox is used but I can't confirm nor deny it at the moment. When this topic first came up in regards to FF using Win root CA cert. store and Eset no longer adding its root CA cert. to FF's Authorities cert. store, I purposely deleted Eset's cert. from FF's Authorities cert. store. I just rechecked FF's Authorities cert. store and the Eset root cert. is now there. So it does appear that Eset upon version update is still adding its root cert. to FF's Authorities cert. store on non-Enterprise FF versions. Also, FF preferences does show security.enterprise_roots.enabled", true, locked Edited September 15, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts