hectorx 0 Posted January 4, 2021 Posted January 4, 2021 Hi, First of all, Happy New Year. I wanted to share an issue we are facing with some clientes who uses Esset Antivirus and try to access to our website. They are getting a message about the certificate of the site, it says the certificate is revoked, but that isn't true. The certificate is valid until July of 2021. I attach both images (the error and the certificate status). The site is: https://status.camerfirma.com/ra_2010. You can test with https://status.camerfirma.com Regards!
Administrators Marcos 5,453 Posted January 6, 2021 Administrators Posted January 6, 2021 I'm not able to reproduce the detection of an invalid OCSP response from the server. Are you still getting the message?
itman 1,801 Posted January 6, 2021 Posted January 6, 2021 Same here connecting from the U.S. No issues from Eset connecting to this URL, https://status.camerfirma.com , using Firefox, Edge - Chromium, or Internet Explorer.
hectorx 0 Posted January 7, 2021 Author Posted January 7, 2021 Hi, Well, I have request the last client who contacted us about this issue to try again. We don't use this antivirus. Anyway this was a quite common problem we faced some weeks ago, and the certificate installed was the same. So, it seems something was wrong with the detection system. But maybe it was fixed with some update. I will let you know as soon as I get a reply. Regards!
WolfgangHo 0 Posted January 20, 2021 Posted January 20, 2021 Hello, we get the same false message for this website https://intranet.agricom.cl/Intranet Clients without ESET Software are getting correct answer from this website with no certificate error We even tried to enter an exception for this website without success Web und E-Mail | SSL/TLS | List of known certificates (Import from URL) Name: *.agricom.cl Certificate issuer: GlobalSign RSA DV SSL CA 2018 Certificate subject: CN=*.agricom.cl Access = Allow But no success: Error Message all the same "Website certificate is revoked" pls help, regards Wolfgang Holesch
Administrators Marcos 5,453 Posted January 20, 2021 Administrators Posted January 20, 2021 8 minutes ago, WolfgangHo said: Hello, we get the same false message for this website https://intranet.agricom.cl/Intranet Clients without ESET Software are getting correct answer from this website with no certificate error We even tried to enter an exception for this website without success Web und E-Mail | SSL/TLS | List of known certificates (Import from URL) Name: *.agricom.cl Certificate issuer: GlobalSign RSA DV SSL CA 2018 Certificate subject: CN=*.agricom.cl Access = Allow But no success: Error Message all the same "Website certificate is revoked" pls help, regards Wolfgang Holesch The intermediate certificate "GlobalSign RSA DV SSL CA 2018" was indeed revoked: https://www.ssllabs.com/ssltest/analyze.html?d=intranet.agricom.cl Trusted: NOT TRUSTED GlobalSign RSA DV SSL CA 2018Fingerprint SHA256: 9e898ed03fa46969690dad73c7296675045ff9b5a0100a399beb8435a98f5185 Pin SHA256: zf+i/fasW4ALe6PM9XFmRtKN/HFCpamlq2FK8z/Vuvs= RSA 2048 bits (e 65537) / SHA256withRSAREVOKED
itman 1,801 Posted January 20, 2021 Posted January 20, 2021 (edited) I will also note that this URL, https://www.agricom.cl/ , is OK. Appears to me that access is being attempted to an intranet domain of above via the Internet? Edited January 20, 2021 by itman
WolfgangHo 0 Posted January 21, 2021 Posted January 21, 2021 ok, I understand that the ESETwarning is correct. But we need to trust this certificate a t least as long they get a new correct certificate. What parameters do we have to set in ESET SCM to ignore this single certificate? We followed this article [KB7241] Resolve the intranet single sign-on authentication issues with TLS filtering activated (eset.com) but the error message still remains. Regards Wolfgang
Administrators Marcos 5,453 Posted January 21, 2021 Administrators Posted January 21, 2021 Not sure if the above should work in the case of certificate revocation. Try adding the hostname to the list urls excluded from content scan in the URL management setup.
itman 1,801 Posted January 21, 2021 Posted January 21, 2021 (edited) Something is not right here in regards to this certificate status. I went to the GlobalSign web site here: https://support.globalsign.com/ca-certificates/intermediate-certificates/domainssl-intermediate-certificates , and downloaded this cert.. I really don't believe GlobalSign would still list a revoked cert. on their web site. Further confirmed by viewing the cert. itself: Additionally note that the thumbprint of this cert. does not match that of that shown by the independent scan of the URL by SSLLabs: Quote Fingerprint SHA256: 9e898ed03fa46969690dad73c7296675045ff9b5a0100a399beb8435a98f5185 It appears to me that this URL, https://intranet.agricom.cl/Intranet , is a hacked web site. Edited January 21, 2021 by itman
Administrators Marcos 5,453 Posted January 21, 2021 Administrators Posted January 21, 2021 The leaf certificate has been replaced and is now signed with a new intermediate certificate "GlobalSign GCC R3 DV TLS CA 2020" so no cert. issues are reported now.
WolfgangHo 0 Posted January 22, 2021 Posted January 22, 2021 Hi Marcos, adding the URL to a list excluded from content scan is not what we really want. Content scan should be applied to web access as we do not trust any foreign web site. Adding the certificate to the list of known certificates should allow web access with "scan" or "ignore" action regardless of the validity of the certificate: "I know what I do when I allow this special certificate". If this is not the behavior then we do want this to be corrected in the software: not as a feature but as an error. In the meantime a new, now correct, certificate for this special web site was applied. So we do have no more problems accessing this web site. But before we had the same problem with other web sites. Thank you for trying to help us with this problem. Best Regards Wolfgang Holesch
WolfgangHo 0 Posted January 22, 2021 Posted January 22, 2021 to itman This special web site is not a hacked web site but an important business to business intranet site. The former certificate hat a revoked intermediate certificate and therefore was incorrect. Most web browsers do not check the certificate chain for revoked certificates and show the certificate with revoked certificates falsely as correct. Regards, Wolfgang
itman 1,801 Posted January 22, 2021 Posted January 22, 2021 (edited) 6 hours ago, WolfgangHo said: Most web browsers do not check the certificate chain for revoked certificates and show the certificate with revoked certificates falsely as correct. Firefox most certainly does: https://support.mozilla.org/en-US/kb/secure-website-certificate . I would assume the same for Chrome and Edge. This article gets into more detail: https://www.ssl.com/article/how-do-browsers-handle-revoked-ssl-tls-certificates/ . Their test in regards to RSA DV certs. yielded the following: As long as FireFox has OCSP enabled which is the default for certificate checking, it will detect a revoked intermediate cert.. Chrome doesn't detect because of bugs it appears: Quote Chrome: On Windows, Chrome incorrectly showed one of the revoked certificates (revoked-rsa-dv.ssl.com) as valid and the others as revoked. Disabling validation checking in the OS did not alter this response. Interestingly, none of the four certificates were shown as revoked in CRLSet in crt.sh at the time of the test, suggesting further questions about Chrome’s revocation checking processes. Edge will detect as long as its default settings haven't been modified: Quote Edge: The current production version of Edge, which uses Microsoft’s EdgeHTML and Chakra engines, correctly recognized all four certificates as revoked. However, when revocation checks were disabled in the OS, all four certificates were shown as valid. However, I don't believe the Edge Chromium version was used in this test. -EDIT- The thing to note here is that due to Eset SSL/TLS scanning, it is obligated to perform all certificate validations independently. As such, it is using OSCP methods to verify cert. trust status. Ref.: https://blog.ascertia.com/what-is-ocsp-and-how-does-it-work Edited January 23, 2021 by itman
itman 1,801 Posted January 22, 2021 Posted January 22, 2021 (edited) One thing I am puzzled about is that Eset with default settings is supposed to warn and not block certificates with trust issues which is not happening: Edited January 22, 2021 by itman
Giacomo Nardone 0 Posted February 23, 2021 Posted February 23, 2021 I hope to be of help. Camerfirma certificates have been revoked on Chrome 90 Dev at the moment I suggest looking for the official Google answer in this conversation (search for Ryan Sleevi) https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/iAUwcFioAQAJ
Recommended Posts