Jump to content

Windows Update/SSL Inspection Conflict


Infractal
 Share

Recommended Posts

After the update to the windows update agent on Windows 7 (possible 8/8.1 as well) I am not longer able to pull and install updates from Microsoft over WU when SSL inspection is enabled. The connection fails citing a certificate error. I assume MS is tightening up their update agent and pinning a cert to it, so when it sees the ESET cert sitting in the middle for traffic inspection it kills the connection without pulling updates. I disabled SSL inspection and things started working correctly again, but I assume there is a list of URLs used by the Windows Update agent that I can exclude from SSL inspection to give a better workaround?

Link to comment
Share on other sites

If you manually go through the motions to add or re-add the cert to the Trusted Root Certificate Authority in windows, does it make a difference ?

 

On a side note, are you using a local wu server or were you referring to windows servers the whole time ?

Edited by Arakasi
Link to comment
Share on other sites

This is pulling directly from Microsoft's update servers. I haven't seen a problem with contacting internal WSUS servers over HTTPS but I would assume Microsoft is being much more permissive there since an internal WSUS deployment could be using any certificate, where as the ones hosted on Microsoft.com can be pinned.

 

This is for the Windows 7 Windows Update Agent 7.6.7600.256 that was released around July 1st/2nd. When you say re-add the cert, do you mean the ESET one that it uses for SSL inspection or the one on Microsoft's end?

Link to comment
Share on other sites

  • ESET Insiders

ssl not work with origin fifa14/fut14 please resolve,Trusted Root Certificate,but not work!

Link to comment
Share on other sites

This is pulling directly from Microsoft's update servers. I haven't seen a problem with contacting internal WSUS servers over HTTPS but I would assume Microsoft is being much more permissive there since an internal WSUS deployment could be using any certificate, where as the ones hosted on Microsoft.com can be pinned.

 

This is for the Windows 7 Windows Update Agent 7.6.7600.256 that was released around July 1st/2nd. When you say re-add the cert, do you mean the ESET one that it uses for SSL inspection or the one on Microsoft's end?

 

Yes.

 

Run > mmc > Add snapin > certificates > computer account > local computer > trusted root certs > import.

the eset cert exported from the product.

 

stop and restart wu service > try updates again .

Edited by Arakasi
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...