Jump to content

Recommended Posts

Posted

Hi,

First of all, Happy New Year.

I wanted to share an issue we are facing with some clientes who uses Esset Antivirus and try to access to our website. They are getting a message about the certificate of the site, it says the certificate is revoked, but that isn't true. The certificate is valid until July of 2021.

I attach both images (the error and the certificate status).

The site is: https://status.camerfirma.com/ra_2010. You can test with https://status.camerfirma.com

 

Regards!

 

Revoked.PNG

certi.PNG

  • Administrators
Posted

I'm not able to reproduce the detection of an invalid OCSP response from the server. Are you still getting the message?

Posted

Same here connecting from the U.S.

No issues from Eset connecting to this URL, https://status.camerfirma.com , using Firefox, Edge - Chromium, or Internet Explorer.

Posted

Hi,

Well, I have request the last client who contacted us about this issue to try again. We don't use this antivirus.

Anyway this was a quite common problem we faced some weeks ago, and the certificate installed was the same. So, it seems something was wrong with the detection system. But maybe it was fixed with some update.

I will let you know as soon as I get a reply.

 

Regards!

  • 2 weeks later...
Posted

Hello, we get the same false message for this website

https://intranet.agricom.cl/Intranet

Clients without ESET Software are getting correct answer from this website with no certificate error

We even tried to enter an exception for this website without success

Web und E-Mail | SSL/TLS | List of known certificates (Import from URL)
Name: *.agricom.cl
Certificate issuer: GlobalSign RSA DV SSL CA 2018
Certificate subject: CN=*.agricom.cl

Access = Allow

But no success: Error Message all the same "Website certificate is revoked"

 

pls help, regards

Wolfgang Holesch

  • Administrators
Posted
8 minutes ago, WolfgangHo said:

Hello, we get the same false message for this website

https://intranet.agricom.cl/Intranet

Clients without ESET Software are getting correct answer from this website with no certificate error

We even tried to enter an exception for this website without success

Web und E-Mail | SSL/TLS | List of known certificates (Import from URL)
Name: *.agricom.cl
Certificate issuer: GlobalSign RSA DV SSL CA 2018
Certificate subject: CN=*.agricom.cl

Access = Allow

But no success: Error Message all the same "Website certificate is revoked"

 

pls help, regards

Wolfgang Holesch

The intermediate certificate "GlobalSign RSA DV SSL CA 2018" was indeed revoked:

https://www.ssllabs.com/ssltest/analyze.html?d=intranet.agricom.cl

Trusted:  NOT TRUSTED

 

GlobalSign RSA DV SSL CA 2018
Fingerprint SHA256: 9e898ed03fa46969690dad73c7296675045ff9b5a0100a399beb8435a98f5185
Pin SHA256: zf+i/fasW4ALe6PM9XFmRtKN/HFCpamlq2FK8z/Vuvs=

RSA 2048 bits (e 65537) / SHA256withRSA
REVOKED

Posted (edited)

I will also note that this URL,  https://www.agricom.cl/  , is OK.

Appears to me that access is being attempted to an intranet domain of above via the Internet?

Edited by itman
Posted

ok, I understand that the ESETwarning is correct.

But we need to trust this certificate a t least as long they get a new correct certificate.
What parameters do we have to set in ESET SCM to ignore this single certificate?

We followed this article [KB7241] Resolve the intranet single sign-on authentication issues with TLS filtering activated (eset.com) but the error message still remains.

image.png.8bbd27dd170b556a05fbd5e171b7f0b5.png

Regards
Wolfgang

 

  • Administrators
Posted

Not sure if the above should work in the case of certificate revocation. Try adding the hostname to the list urls excluded from content scan in the URL management setup.

Posted (edited)

Something is not right here in regards to this certificate status.

I went to the GlobalSign web site here: https://support.globalsign.com/ca-certificates/intermediate-certificates/domainssl-intermediate-certificates , and downloaded this cert.. I really don't believe GlobalSign would still list a revoked cert. on their web site. Further confirmed by viewing the cert. itself:

Eset_Cert.png.de755be5a329981319fae704bf1e7662.png

Additionally note that the thumbprint of this cert.

Eset_Cert_2.png.5459c0275f7fcf001f76c22eb027beb4.png

does not match that of that shown by the independent scan of the URL by SSLLabs:

Quote

Fingerprint SHA256: 9e898ed03fa46969690dad73c7296675045ff9b5a0100a399beb8435a98f5185

It appears to me that this URL, https://intranet.agricom.cl/Intranet  , is a hacked web site.

 

Edited by itman
  • Administrators
Posted

The leaf certificate has been replaced and is now signed with a new intermediate certificate "GlobalSign GCC R3 DV TLS CA 2020" so no cert. issues are reported now.

Posted

Hi Marcos,

adding the URL to a list excluded from content scan is not what we really want.

Content scan should be applied to web access as we do not trust any foreign web site.

Adding the certificate to the list of known certificates should allow web access with "scan" or "ignore" action regardless of the validity of the certificate: "I know what I do when I allow this special certificate". 

If this is not the behavior then we do want this to be corrected in the software: not as a feature but as an error.

In the meantime a new, now correct, certificate for this special web site was applied. So we do have no more problems accessing this web site. But before we had the same problem with other web sites.

Thank you for trying to help us with this problem.
Best Regards
Wolfgang Holesch

Posted

to itman

This special web site is not a hacked web site but an important business to business intranet site.

The former certificate hat a revoked intermediate certificate and therefore was incorrect.

Most web browsers do not check the certificate chain for revoked certificates and show the certificate with revoked certificates falsely as correct.

Regards, Wolfgang

Posted (edited)
6 hours ago, WolfgangHo said:

Most web browsers do not check the certificate chain for revoked certificates and show the certificate with revoked certificates falsely as correct.

Firefox most certainly does: https://support.mozilla.org/en-US/kb/secure-website-certificate . I would assume the same for Chrome and Edge.

This article gets into more detail: https://www.ssl.com/article/how-do-browsers-handle-revoked-ssl-tls-certificates/ . Their test in regards to RSA DV certs. yielded the following:

Eset_Revoked.png.19212ac02accb769a533005e436ad255.png

As long as FireFox has OCSP enabled which is the default for certificate checking, it will detect a revoked intermediate cert..

Chrome doesn't detect because of bugs it appears:

Quote

Chrome: On Windows, Chrome incorrectly showed one of the revoked certificates (revoked-rsa-dv.ssl.com) as valid and the others as revoked. Disabling validation checking in the OS did not alter this response. Interestingly, none of the four certificates were shown as revoked in CRLSet in crt.sh at the time of the test, suggesting further questions about Chrome’s revocation checking processes.

Edge will detect as long as its default settings haven't been modified:

Quote

Edge: The current production version of Edge, which uses Microsoft’s EdgeHTML and Chakra engines, correctly recognized all four certificates as revoked. However, when revocation checks were disabled in the OS, all four certificates were shown as valid.

However, I don't believe the Edge Chromium version was used in this test.

-EDIT- The thing to note here is that due to Eset SSL/TLS scanning, it is obligated to perform all certificate validations independently. As such, it is using OSCP methods to verify cert. trust status. Ref.: https://blog.ascertia.com/what-is-ocsp-and-how-does-it-work

Edited by itman
Posted (edited)

One thing I am puzzled about is that Eset with default settings is supposed to warn and not block certificates with trust issues which is not happening:

Eset_Cert.thumb.png.b1a63bd51e99d16ba4bdecdf2c473548.png

Edited by itman
  • 1 month later...
Posted

I hope to be of help. Camerfirma certificates have been revoked on Chrome 90 Dev at the moment

I suggest looking for the official Google answer in this conversation (search for Ryan Sleevi)

https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/iAUwcFioAQAJ

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...