certificate revoked invalid oscp

[Chanklish 1]

hello

I am trying to open this website : https://tvs.bce.lt but i am facing certificate revoked , invalid oscp response.

the website opens normally on another company protected with same version of ESET 

I added the certificate to the excluded certificate in ssl/tls filtering but same error 
i also added the website in the exclusion but still same issue

Firefox works , but chrome and explorer don't

[Marcos 5,070]

Sounds like one of the servers behind a load balancer is providing an invalid OCSP response. I'm not having any issues opening the website but that's most likely because I've got a response from a server which provides a valid OCSP response or OCSP stapling is not used on the server (didn't check the SSL communication to find out).

Strange that you're getting a different result with Firefox and other browsers. Try reloading the web page in Firefox by pressing Ctrl+F5.

[itman 1,659]

55 minutes ago, Chanklish said:

I am trying to open this website : https://tvs.bce.lt but i am facing certificate revoked , invalid oscp response.

I can open this web site fine in FireFox.

It won't open at all in IE11. All I get is a blank web page. Ditto for Edge. However, Edge didn't show any Intermediate cert. in the cert. chain path. So something is wrong with the cert. validation path for this web site.

Edited April 12, 2021 by itman

[itman 1,659]

Per Quals SSL Server check, a chain path has an extra cert. in it. This status has caused past issues with Eset SSL/TLS protocol scanning:

[Chanklish 1]

What can i do ?

[itman 1,659]

I excluded the web site from Eset SSL/TLS protocol scanning and per below screen shot, it will still not display properly in IE11. At this point, I would say Eset is not the problem. Note that the certificate chain displayed is not correct since the web site root CA store certificate is missing.

Since the site displays properly in Firefox regardless of Eset SSL/TLS scanning exclusion, use it for access to this web site.

[Chanklish 1]

2 minutes ago, itman said:

I excluded the web site from Eset SSL/TLS protocol scanning and per below screen shot, it will still not display properly in IE11. At this point, I would say Eset is not the problem. Note that the certificate chain displayed is not correct since the web site root CA store certificate is missing.

Since the site displays properly in Firefox regardless of Eset SSL/TLS scanning exclusion, use it for access to this web site.

What about chrome? I cannot install forefox for an entire department juat cause my endpoint solution has no workaround for this 

It should be my decision what is blocked and what is not

[itman 1,659]

32 minutes ago, Chanklish said:

What about chrome?

You can try Chrome since it uses its own certificate store. I did test with the Eset cert. exclusion using Edge Chromium and the result was the same as for IE11.

Also below is a screen shot from FireFox w/Eset cert. exclusion still in place. The certificate chain processing is correct. It appears both IE11 and Edge are both using the path #2 chain noted in the QUALS screen shot. It is the extra chain cert. download in this validation path that is the issue for those browsers. 

Edited April 12, 2021 by itman

[Chanklish 1]

6 hours ago, itman said:

You can try Chrome since it uses its own certificate store. I did test with the Eset cert. exclusion using Edge Chromium and the result was the same as for IE11.

Also below is a screen shot from FireFox w/Eset cert. exclusion still in place. The certificate chain processing is correct. It appears both IE11 and Edge are both using the path #2 chain noted in the QUALS screen shot. It is the extra chain cert. download in this validation path that is the issue for those browsers. 

How is it possible to download this certificate to be added for the exclusion?

[Chanklish 1]

i added all the certificates and chain certificates but still it is not working

now even firefox is blocked , my work is halted and my only solution is to remove ESET!

[Marcos 5,070]

1 hour ago, Chanklish said:

i added all the certificates and chain certificates but still it is not working

now even firefox is blocked , my work is halted and my only solution is to remove ESET!

Please carry on as follows:
- under Help and support -> Details for technical support enable advanced logging
- reproduce the warning
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

[Chanklish 1]

7 minutes ago, Marcos said:

Please carry on as follows:
- under Help and support -> Details for technical support enable advanced logging
- reproduce the warning
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

under Help and support -> Details for technical support enable advanced logging -- server side ?
the eset log collector on endpoint ?

[Marcos 5,070]

Ok, Endpoint doesn't have this option. So in order to enable advanced logging, navigate to tools -> diagnostics in the advanced setup:

[Chanklish 1]

17 minutes ago, Marcos said:

Ok, Endpoint doesn't have this option. So in order to enable advanced logging, navigate to tools -> diagnostics in the advanced setup:

here you go Marcos 

 

ees_logs.zip

[itman 1,659]

4 hours ago, Chanklish said:

now even firefox is blocked

I can connect to the web site in FireFox w/o an Eset cert. exclusion for it. It has to be something in how Internet traffic is being routed from your location in the Congo in regards to cert. chain validation processing.

[Chanklish 1]

9 minutes ago, itman said:

I can connect to the web site in FireFox w/o an Eset cert. exclusion for it. It has to be something in how Internet traffic is being routed from your location in the Congo in regards to cert. chain validation processing.

i can work normally without ESET , the problem is only present on computers with ESET endpoint
i also have bitdefender on some computers and the website is working normally ( on chrome and firefox )

[itman 1,659]

I do see one issue.

Refer to the AAA Certificate Services root CA store cert. shown the QUALS path #2 cert. verification chain.

I checked my Win 10 root CA certificate store and an AAA Certificate Services certificate does indeed exist there. However, the thumbprint shown doesn't match that shown for the same cert. in the QUALS analysis. This I assume is the reason why the web site won't render in any browser that uses the Win root CA certificate store by default such as IE11 and Edge.

It appears to me some type of "man-in-the-middle" activity is occurring when trying to access this web site.

[itman 1,659]

It gets worse.

Here's the web site cert. thumbprint per FireFox:

-EDIT- Scratch this analysis. I forgot to exclude the site from Eset SSL/TLS scanning.

 

Edited April 13, 2021 by itman

[Chanklish 1]

17 minutes ago, itman said:

It gets worse.

Here's the web site cert. thumbprint per FireFox:

Here's what GRC independent lookup cert. thumbprint analysis shows:

Personally, I would not access this web site for anything until this gets straightened out.

there is nothing of value to be stolen , maximum they know the location of my trucks 

[Chanklish 1]

look at the response of BCE website

[Marcos 5,070]

It appears that a root certificate is missing in our system. Please install https://www.microsoft.com/en-us/download/details.aspx?id=45633 and let us know if it resolves the issue.

[itman 1,659]

I am pretty sure I know what the issue is and it's a "humdinger."

Again refer to the QUALS path #2 path analysis. Note that the thumbprint for the AAA Certificate Services certificate was calculated using SHA256. This implies that the corresponding cert. accessed from the OSCP server they used in the analysis was created using SHA256. However, the AAA Certificate Services certificate in the Win root CA store on my device is using SHA1.

So I am not sure that Eset's adding this SHA256 cert. to their OSCP servers  will solve the issue. It might require Microsoft using an update to the AAA Certificate Services certificate in the Win root CA store.

As far as FireFox goes, the AAA Certificate Services certificate doesn't exist in their Authorities cert, store. So it appears it terminates its cert. chain validation at User Trust cert. level.

Edited April 13, 2021 by itman

[Chanklish 1]

4 minutes ago, itman said:

I am pretty sure I know what the issue is and it's a "humdinger."

Again refer to the QUALS path #2 path analysis. Note that the thumbprint for the AAA Certificate Services certificate was calculated using SHA256. This implies that the corresponding cert. accessed from the OSCP server they used in the analysis was created using SHA256. However, the AAA Certificate Services certificate in the Win root CA store on my device is using SHA1.

So I am not sure that Eset's adding this SHA256 cert. to their OSCP servers  will solve the issue. It might require Microsoft using an update to the AAA Certificate Services certificate in the Win root CA store.

As far as FireFox goes, the AAA Certificate Services certificate does exist in their Authorities cert, store. So it appears it terminates its cert. chain validation at User Trust cert. level.

what would you suggest ?

[itman 1,659]

2 minutes ago, Chanklish said:

what would you suggest ?

Do what @Marcos instructed and we'll proceed from there. It appears your client devices having this issue are all Win 7 based?

Edited April 13, 2021 by itman

[itman 1,659]

Here's what another SSL Checker web site yields. Note this was done with Eset SSL/TLS protocol scanning certificate exclusion for the web site: