Jump to content

certificate revoked invalid oscp


Go to solution Solved by itman,

Recommended Posts

hello

I am trying to open this website : https://tvs.bce.lt but i am facing certificate revoked , invalid oscp response.

the website opens normally on another company protected with same version of ESET 

I added the certificate to the excluded certificate in ssl/tls filtering but same error 
i also added the website in the exclusion but still same issue

Firefox works , but chrome and explorer don't

image.thumb.png.cc1cbf8b189e426b55c404e4499a31c5.png

Link to comment
Share on other sites

  • Administrators

Sounds like one of the servers behind a load balancer is providing an invalid OCSP response. I'm not having any issues opening the website but that's most likely because I've got a response from a server which provides a valid OCSP response or OCSP stapling is not used on the server (didn't check the SSL communication to find out).

Strange that you're getting a different result with Firefox and other browsers. Try reloading the web page in Firefox by pressing Ctrl+F5.

Link to comment
Share on other sites

55 minutes ago, Chanklish said:

I am trying to open this website : https://tvs.bce.lt but i am facing certificate revoked , invalid oscp response.

I can open this web site fine in FireFox.

It won't open at all in IE11. All I get is a blank web page. Ditto for Edge. However, Edge didn't show any Intermediate cert. in the cert. chain path. So something is wrong with the cert. validation path for this web site.

Edited by itman
Link to comment
Share on other sites

Per Quals SSL Server check, a chain path has an extra cert. in it. This status has caused past issues with Eset SSL/TLS protocol scanning:

Eset_Quals.thumb.png.33c3fed67c9958180d542f949c864ff0.png

Link to comment
Share on other sites

I excluded the web site from Eset SSL/TLS protocol scanning and per below screen shot, it will still not display properly in IE11. At this point, I would say Eset is not the problem. Note that the certificate chain displayed is not correct since the web site root CA store certificate is missing.

Since the site displays properly in Firefox regardless of Eset SSL/TLS scanning exclusion, use it for access to this web site.

Eset_IE.thumb.png.ea2cab6dd966ea7889edfeb2403444e7.png

Link to comment
Share on other sites

2 minutes ago, itman said:

I excluded the web site from Eset SSL/TLS protocol scanning and per below screen shot, it will still not display properly in IE11. At this point, I would say Eset is not the problem. Note that the certificate chain displayed is not correct since the web site root CA store certificate is missing.

Since the site displays properly in Firefox regardless of Eset SSL/TLS scanning exclusion, use it for access to this web site.

Eset_IE.thumb.png.ea2cab6dd966ea7889edfeb2403444e7.png

What about chrome? I cannot install forefox for an entire department juat cause my endpoint solution has no workaround for this 

It should be my decision what is blocked and what is not

Link to comment
Share on other sites

32 minutes ago, Chanklish said:

What about chrome?

You can try Chrome since it uses its own certificate store. I did test with the Eset cert. exclusion using Edge Chromium and the result was the same as for IE11.

Also below is a screen shot from FireFox w/Eset cert. exclusion still in place. The certificate chain processing is correct. It appears both IE11 and Edge are both using the path #2 chain noted in the QUALS screen shot. It is the extra chain cert. download in this validation path that is the issue for those browsers. 

Eset_FireFox.thumb.png.64c9be5e216f6d665710a0c3bcdfc64c.png

Edited by itman
Link to comment
Share on other sites

6 hours ago, itman said:

You can try Chrome since it uses its own certificate store. I did test with the Eset cert. exclusion using Edge Chromium and the result was the same as for IE11.

Also below is a screen shot from FireFox w/Eset cert. exclusion still in place. The certificate chain processing is correct. It appears both IE11 and Edge are both using the path #2 chain noted in the QUALS screen shot. It is the extra chain cert. download in this validation path that is the issue for those browsers. 

Eset_FireFox.thumb.png.64c9be5e216f6d665710a0c3bcdfc64c.png

How is it possible to download this certificate to be added for the exclusion?

Link to comment
Share on other sites

i added all the certificates and chain certificates but still it is not working

now even firefox is blocked , my work is halted and my only solution is to remove ESET!

Link to comment
Share on other sites

  • Administrators
1 hour ago, Chanklish said:

i added all the certificates and chain certificates but still it is not working

now even firefox is blocked , my work is halted and my only solution is to remove ESET!

Please carry on as follows:
- under Help and support -> Details for technical support enable advanced logging
- reproduce the warning
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

Link to comment
Share on other sites

7 minutes ago, Marcos said:

Please carry on as follows:
- under Help and support -> Details for technical support enable advanced logging
- reproduce the warning
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

under Help and support -> Details for technical support enable advanced logging -- server side ?
the eset log collector on endpoint ?

Link to comment
Share on other sites

  • Administrators

Ok, Endpoint doesn't have this option. So in order to enable advanced logging, navigate to tools -> diagnostics in the advanced setup:

image.png

Link to comment
Share on other sites

17 minutes ago, Marcos said:

Ok, Endpoint doesn't have this option. So in order to enable advanced logging, navigate to tools -> diagnostics in the advanced setup:

image.png

here you go Marcos 

 

ees_logs.zip

Link to comment
Share on other sites

4 hours ago, Chanklish said:

now even firefox is blocked

I can connect to the web site in FireFox w/o an Eset cert. exclusion for it. It has to be something in how Internet traffic is being routed from your location in the Congo in regards to cert. chain validation processing.

Eset_Cert.thumb.png.0858a8ad00e3c3a702afca0269733bbc.png

Link to comment
Share on other sites

9 minutes ago, itman said:

I can connect to the web site in FireFox w/o an Eset cert. exclusion for it. It has to be something in how Internet traffic is being routed from your location in the Congo in regards to cert. chain validation processing.

Eset_Cert.thumb.png.0858a8ad00e3c3a702afca0269733bbc.png

i can work normally without ESET , the problem is only present on computers with ESET endpoint
i also have bitdefender on some computers and the website is working normally ( on chrome and firefox )

Link to comment
Share on other sites

I do see one issue.

Refer to the AAA Certificate Services root CA store cert. shown the QUALS path #2 cert. verification chain.

I checked my Win 10 root CA certificate store and an AAA Certificate Services certificate does indeed exist there. However, the thumbprint shown doesn't match that shown for the same cert. in the QUALS analysis. This I assume is the reason why the web site won't render in any browser that uses the Win root CA certificate store by default such as IE11 and Edge.

It appears to me some type of "man-in-the-middle" activity is occurring when trying to access this web site.

Eset_AAA.thumb.png.cce7da38e10ddc3194a20a5db504636a.png

Link to comment
Share on other sites

It gets worse.

Here's the web site cert. thumbprint per FireFox:

-EDIT- Scratch this analysis. I forgot to exclude the site from Eset SSL/TLS scanning.

 

Edited by itman
Link to comment
Share on other sites

17 minutes ago, itman said:

It gets worse.

Here's the web site cert. thumbprint per FireFox:

TV-FF.thumb.png.305dbb72e6f1046fa68eb92b643f3220.png

Here's what GRC independent lookup cert. thumbprint analysis shows:

TV-Gibson.thumb.png.073834b7452de6d34e53f63f4c25fec6.png

Personally, I would not access this web site for anything until this gets straightened out.

there is nothing of value to be stolen , maximum they know the location of my trucks 

Link to comment
Share on other sites

I am pretty sure I know what the issue is and it's a "humdinger."

Again refer to the QUALS path #2 path analysis. Note that the thumbprint for the AAA Certificate Services certificate was calculated using SHA256. This implies that the corresponding cert. accessed from the OSCP server they used in the analysis was created using SHA256. However, the AAA Certificate Services certificate in the Win root CA store on my device is using SHA1.

So I am not sure that Eset's adding this SHA256 cert. to their OSCP servers  will solve the issue. It might require Microsoft using an update to the AAA Certificate Services certificate in the Win root CA store.

As far as FireFox goes, the AAA Certificate Services certificate doesn't exist in their Authorities cert, store. So it appears it terminates its cert. chain validation at User Trust cert. level.

Edited by itman
Link to comment
Share on other sites

4 minutes ago, itman said:

I am pretty sure I know what the issue is and it's a "humdinger."

Again refer to the QUALS path #2 path analysis. Note that the thumbprint for the AAA Certificate Services certificate was calculated using SHA256. This implies that the corresponding cert. accessed from the OSCP server they used in the analysis was created using SHA256. However, the AAA Certificate Services certificate in the Win root CA store on my device is using SHA1.

So I am not sure that Eset's adding this SHA256 cert. to their OSCP servers  will solve the issue. It might require Microsoft using an update to the AAA Certificate Services certificate in the Win root CA store.

As far as FireFox goes, the AAA Certificate Services certificate does exist in their Authorities cert, store. So it appears it terminates its cert. chain validation at User Trust cert. level.

what would you suggest ?

Link to comment
Share on other sites

2 minutes ago, Chanklish said:

what would you suggest ?

Do what @Marcos instructed and we'll proceed from there. It appears your client devices having this issue are all Win 7 based?

Edited by itman
Link to comment
Share on other sites

Here's what another SSL Checker web site yields. Note this was done with Eset SSL/TLS protocol scanning certificate exclusion for the web site:

SSL_Checker.thumb.png.3a91ebaad1711640e65bb8a68035b7e7.png

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...