Dusan 2 Posted April 2, 2021 Share Posted April 2, 2021 Hi. As title say i have problem lately with Firefox and ESET. When i try to load website or log in and get 2FA nothing happend. I can only solve this problem when i disable SSL/TLS protocol filtering. So, I checked certificates and in Windows Trusted root i have ESET SSL Filter CA. I also check thumprint and its same registered in ESET root certificate. Also i check in Firefox and i dont have ESET SSL Filter CA registered there but in Firefox, but it think is ok because i have there two options set on true. security.certerrors.mitm.auto_enable_enterprise_roots - true security.enterprise_roots.enabled - true Any idea what else can i check and try? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted April 2, 2021 Administrators Share Posted April 2, 2021 Do you receive an error when attempting to open any https website? If so, please provide a screen shot of the warning that you are getting. Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 2, 2021 Author Share Posted April 2, 2021 Example, when i try to log on website, after enter username and password, i should get windows for 2FA. But when i press log in button, screen is just loading. With Chrome, Edge i dont have that problem on same website. With Firefox i can only solve that when i disable SSL/TLS protocol filtering. On my office PC, when i try to access that website problem is the same (on office pc im using Endpoint Security). Also, i have problem accessing ESMC over Firefox. Error page is in attachment. When i switch to Chrome i dont have that problem. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted April 2, 2021 Administrators Share Posted April 2, 2021 With Firefox not running, try renaming C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\%profilename%\cert9.db, e.g. to cert9.bak and then launch Firefox. Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 2, 2021 Author Share Posted April 2, 2021 Tried that but it didnt solve anything. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 2, 2021 Share Posted April 2, 2021 Based on this: https://dimitri.janczak.net/2019/11/25/firefox-displays-ssl-error-sec_error_inadequate_key_usage-when-using-self-signed-certificate/ , I would say Eset's root CA certificate needs to be added Firefox's Authority store. I suspect the 2FA validation process is performing additional certificate verification processing in regards to cert. chaining activities. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,071 Posted April 2, 2021 Administrators Share Posted April 2, 2021 What about uninstalling Firefox, deleting user profiles and installing it from scratch? Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 2, 2021 Share Posted April 2, 2021 (edited) I will also add that not all two factor authorization processing is the same. My bank has 2FA and I have no issues with Eset's B&PP using Firefox. Eset doesn't perform SSL/TLS protocol scanning for my bank's web sites. Therefore the solution, as I see it, is to exclude these web sites with 2FA from Eset SSL/TLS protocol scanning. Also, it is likely that the 2FA web page has a unique cert. associated with it. So that would be the cert. that needs to be excluded. Problem is you will have to temporarily exclude Eset SSL/TLS protocol scanning to access the 2FA web page, then exclude that cert. and re-enable Eset SSL/TLS protocol scanning. Edited April 2, 2021 by itman Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 2, 2021 Author Share Posted April 2, 2021 2 hours ago, itman said: Based on this: https://dimitri.janczak.net/2019/11/25/firefox-displays-ssl-error-sec_error_inadequate_key_usage-when-using-self-signed-certificate/ , I would say Eset's root CA certificate needs to be added Firefox's Authority store. I suspect the 2FA validation process is performing additional certificate verification processing in regards to cert. chaining activities. Ok i tried with this and i think it did solved problem with ESMC, so far i didint received error. But problem with 2FA is still the same. 1 hour ago, itman said: I will also add that not all two factor authorization processing is the same. My bank has 2FA and I have no issues with Eset's B&PP using Firefox. Here's the solution to the issue. Eset doesn't perform SSL/TLS protocol scanning for my bank's web sites. Therefore the solution, as I see it, is to exclude these web sites with 2FA from Eset SSL/TLS protocol scanning. Yea, i know its not the same. For instance, i have 2FA on multiple website, but i have only problem with this one. So i tried excluding that website on protocol filtering (excluded IP addresses). But can you tell me how can i exclude from SSL/TLS protocol scanning? I only know for list of SSL/TLS filtered applications. 1 hour ago, Marcos said: What about uninstalling Firefox, deleting user profiles and installing it from scratch? Frankly, i didint tried that because it is my last option. If im sure that this is problem i will do it. But i will try to install Win 10 on VM and i will try there, to be sure will it work as fresh install. Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 2, 2021 Author Share Posted April 2, 2021 1 hour ago, itman said: I will also add that not all two factor authorization processing is the same. My bank has 2FA and I have no issues with Eset's B&PP using Firefox. Eset doesn't perform SSL/TLS protocol scanning for my bank's web sites. Therefore the solution, as I see it, is to exclude these web sites with 2FA from Eset SSL/TLS protocol scanning. Also, it is likely that the 2FA web page has a unique cert. associated with it. So that would be the cert. that needs to be excluded. Problem is you will have to temporarily exclude Eset SSL/TLS protocol scanning to access the 2FA web page, then exclude that cert. and re-enable Eset SSL/TLS protocol scanning. Yea, probably it has. And im sure it is something with that because when i disable SSL/TLS protocol filtering everything is working fine on that website. Can you help me with excluding certificate? Do you mean to go in List of know certificate, import if from URL, and allow access and ignore scan for that certificate? Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 2, 2021 Share Posted April 2, 2021 (edited) 35 minutes ago, Dusan said: But can you tell me how can i exclude from SSL/TLS protocol scanning? I only know for list of SSL/TLS filtered applications. The easiest way to do this is to exclude the entire web site from SSL/TLS protocol scanning. Refer to this: https://support.eset.com/en/kb5833-manage-protocolssltls-filtering-in-eset-windows-home-products . Scroll down to this section in the article - "SSL/TLS Scanning." Proceed to this sub-section Remove a certificate from the known certificates list. Important - we are not removing anything. Only use this as a guide to find the cert. associated with the 2FA web site you having issues with. Select the site URL - certificate entry and mouse click on the Edit tab. Change the "Scan action" to Ignore. Save your changes. Verify that changes were made. Now try to access this 2FA web site you're having issues with. Edited April 2, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 2, 2021 Share Posted April 2, 2021 20 minutes ago, Dusan said: Do you mean to go in List of know certificate, import if from URL, and allow access and ignore scan for that certificate? This is the next step to do if the above Scan action set to Ignore doesn't work. Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 2, 2021 Author Share Posted April 2, 2021 1 hour ago, itman said: The easiest way to do this is to exclude the entire web site from SSL/TLS protocol scanning. Refer to this: https://support.eset.com/en/kb5833-manage-protocolssltls-filtering-in-eset-windows-home-products . Scroll down to this section in the article - "SSL/TLS Scanning." Proceed to this sub-section Remove a certificate from the known certificates list. Important - we are not removing anything. Only use this as a guide to find the cert. associated with the 2FA web site you having issues with. Select the site URL - certificate entry and mouse click on the Edit tab. Change the "Scan action" to Ignore. Save your changes. Verify that changes were made. Now try to access this 2FA web site you're having issues with. In list of known certificates i dont have anything, so i cant edit any of certificate associated with that web site. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 2, 2021 Share Posted April 2, 2021 (edited) 18 minutes ago, Dusan said: In list of known certificates i dont have anything, so i cant edit any of certificate associated with that web site. Ok. I guess you never used Eset Banking & Payment Protection for anything since it will ask you whether you want to add the web site certs. there. So its on to Plan B: 1 hour ago, itman said: Do you mean to go in List of know certificate, import if from URL, and allow access and ignore scan for that certificate? To do this, you will have to temporarily disable SSL/TLS protocol filtering. Then add the cert. associated with the 2FA web page. "My gut is telling me" this web page is using a different cert. than the rest of the URL's associated with the web site. Make sure you re-enable SSL/TLS protocol filtering afterwards. Edited April 2, 2021 by itman Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 2, 2021 Author Share Posted April 2, 2021 17 minutes ago, itman said: Ok. I guess you never used Eset Banking & Payment Protection for anything since it will ask you whether you want to add the web site certs. there. No i dont use Eset Banking & Payment Protection. 17 minutes ago, itman said: So its on to Plan B: To do this, you will have to temporarily disable SSL/TLS protocol filtering. Then add the cert. associated with the 2FA web page. "My gut is telling me" this web page is using a different cert. than the rest of the URL's associated with the web site. Make sure you re-enable SSL/TLS protocol filtering afterwards. I cant do it in exact order. When i disable SSD/TLS protocol filtering every other option is greyed out so i cant add cert. I left enabled and add cert but still nothing. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 2, 2021 Share Posted April 2, 2021 2 minutes ago, Dusan said: I left enabled and add cert but still nothing. I assume then you just added the cert. for the web site's home page then? Check the cert. used on the web site's logon web page. Is it different than the one for the home page? My bank's web site literally uses a different cert. for every web site section accessed. If cert. for logon page different than home page, add the cert. exclusion for the logon web page. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 3, 2021 Share Posted April 3, 2021 (edited) If all the above fail, you can download the cert. for the 2FA web site using Firefox. Then add it to List of know certificates, import if from File, and allow access and ignore scan for that certificate. Again, to do this you will have to temporarily disable SSL/TLS protocol filtering, download the cert., and then re-enable SSL/TLS protocol filtering. Edited April 3, 2021 by itman Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 3, 2021 Author Share Posted April 3, 2021 1 hour ago, itman said: I assume then you just added the cert. for the web site's home page then? Check the cert. used on the web site's logon web page. Is it different than the one for the home page? My bank's web site literally uses a different cert. for every web site section accessed. If cert. for logon page different than home page, add the cert. exclusion for the logon web page. In picture u will see name of the site and cert. for it. Strange is when i try to check cert. on Firefox page i just show that it doesnt recognize cert. But when i try to import cert from URL on Eset it show different cert. You can see on second picture. I checked on Firefox and it is listed on trusted cert. Also, when i go to trusted cert. in Firefox and export it, i cant import on Eset. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 3, 2021 Share Posted April 3, 2021 (edited) 14 hours ago, Dusan said: In picture u will see name of the site and cert. for it. Strange is when i try to check cert. on Firefox page i just show that it doesnt recognize cert. You didn't post any screen shots? We need a screen shot of the web page where you enter your 2FA data. That is if its actual a web page and not some type of popup screen being generated by the web site? To download the web site certificate, perform the following. I will be using the Eset forum web page as an example on how to add a certificate using the "File" option: 1. Mouse click on lock symbol that precedes the URL. 2 Expand; i.e. mouse click on ">", Connection secure details. 3. Mouse click on More Information. 4. Mouse click on View Certificate: 5. Download the web site certificate to where ever by mouse clicking on PEM (cert): 6. Now add the certificate to Eset as shown in the below screen shot. Note: you are using the "File" option: 7. Set Scan action to Ignore: 8. The end result is certificate is added to Eset with it set to be ignored by SSL/TLS protocol scanning; Edited April 3, 2021 by itman Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 3, 2021 Author Share Posted April 3, 2021 1 hour ago, itman said: You didn't post any screen shots? We need a screen shot of the web page where you enter your 2FA data. That is if its actual a web page and not some type of popup screen being generated by the web site? To download the web site certificate, perform the following. I will be using the Eset forum web page as an example on how to add a certificate using the "File" option: 1. Mouse click on lock symbol that precedes the URL. 2 Expand; i.e. mouse click on ">", Connection secure details. 3. Mouse click on More Information. 4. Mouse click on View Certificate: 5. Download the web site certificate to where ever by mouse clicking on PEM (cert): 6. Now add the certificate to Eset as shown in the below screen shot. Note: you are using the "File" option: 7. Set Scan action to Ignore: 8. The end result is certificate is added to Eset with it set to be ignored by SSL/TLS protocol scanning; Omg, sorry. I fogot to attach pictures. I attach pictures that i suposed to add last night. And also i tried what you told me without success. I added picture for that. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 3, 2021 Share Posted April 3, 2021 (edited) 49 minutes ago, Dusan said: And also i tried what you told me without success. I added picture for that. You are not paying attention to what I am posting: 16 hours ago, itman said: Again, to do this you will have to temporarily disable SSL/TLS protocol filtering, download the cert., and then re-enable SSL/TLS protocol filtering. You are accessing the cex.io website with SSL/TLS protocol scanning enabled. As such, the certificate exclusion is not being created properly. Note that the cert. you added has Eset as the cert. issuer. Again ........ 1. Delete existing cex.io entry from List of know certificates. 2. Disable SSL/TLS protocol scanning. 3. Download the cex.io web site certificate as previously posted. 4. Enable SSL/TLS protocol scanning. 5. Proceed to add previously downloaded cex.io certificate to List of know certificates using File method as previously posted. Edited April 3, 2021 by itman Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 3, 2021 Author Share Posted April 3, 2021 (edited) 1 hour ago, itman said: You are not paying attention to what I am posting: You are accessing the cex.io website with SSL/TLS protocol scanning enabled. As such, the certificate exclusion is not being created properly. Note that the cert. you added has Eset as the cert. issuer. Again ........ 1. Delete existing cex.io entry from List of know certificates. 2. Disable SSL/TLS protocol scanning. 3. Download the cex.io web site certificate as previously posted. 4. Enable SSL/TLS protocol scanning. 5. Proceed to add previously downloaded cex.io certificate to List of know certificates using File method as previously posted. Ok. I read again both posts. Now, i deleted old cert. Disabled SSL/TLS, donwloaded cex.io cert. Enabled SSL/TLS, and impoted cert. Still cant access web site. But i need to mention, on cex.io it show me 3 tabs with certificate. I did that with only cex.io cert. Nothing. Then i tried to add all 3, but first i deleted existing cert., and follow previous steps to download and import all 3 of them. Still nothing. Edited April 3, 2021 by Dusan Link to comment Share on other sites More sharing options...
Dusan 2 Posted April 3, 2021 Author Share Posted April 3, 2021 22 hours ago, Marcos said: What about uninstalling Firefox, deleting user profiles and installing it from scratch? Just to say that i install Win 10 on VM, install Firefox and free trial of Eset and same problem. Cant log in on website. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 3, 2021 Share Posted April 3, 2021 (edited) 35 minutes ago, Dusan said: Then i tried to add all 3, but first i deleted existing cert., and follow previous steps to download and import all 3 of them. Still nothing. I really don't believe Eset is the issue here. You have excluded the bank web site from SSL/TLS protocol scanning. Post a screen shot of the 2FA web page, popup, whatever is being displayed where you enter the 2FA code being assigned. -EDIT- Also if its a web page, post a screen shot of the cert. being used. Edited April 3, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 3, 2021 Share Posted April 3, 2021 I found a YouTube video by CEX that explains the 2FA processing. It certainly looks like a web page to me. And again, I suspect it is using a different cert. than the rest of the cex.io web site. Also here: https://support.cex.io/en/articles/4383389-two-factor-authentication-2fa-troubleshooting-tips , there is wording about Google Authenticator . Are you using that? Link to comment Share on other sites More sharing options...
Recommended Posts