Activation failure and Eset certificate

[katbert 3]

I have a problem with activation one of my servers with Eset File Security 6

 

This server never had direct internet access.

Policy with proxy settings (apache http proxy on ERA Server) was applied.

But activation task fails.

On other servers with same policies activation work correctly.

 

With Wireshark I see connection attempt to edf.eset.com through apache http proxy

And I see direct connection to ctldl.windowsupdate.com, which fail

This is Windows trusted root certificates update source.

When I try to connect edf.eset.com using Internet Explorer on this server.

And I see, what IE don't trust certificate of edf.eset.com.

 

I manually download certificate of eset.com, and install  "thawte Primary Root CA - G3" in the trusted root CA store.

And after this activation task finished successfully.

 

Why ERA Agent don't install necessary root certificates in Windows Store?

Edited April 14, 2016 by katbert

[MichalJ 434]

Hello Katbert,

 

Adding root certificates to Windows Store is considered as a potential security issue, and we do not want to do that without administrator knowing us doing it (it happened many times in the past, that some 3rd party certification authority has issued a certificate for a domain of a specific company, which was subsequently misused).

 

Concerning the possible problems (also for other users searching for this topic):

 

When a certificate is not trusted (in internet explorer), it means that:

• support for sha256 is missing (XP/Windows Server 2003)
  • https://blogs.technet.microsoft.com/pki/2010/09/30/sha2-and-windows/
  • https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO25586
  • *Windows servers may require the following patch 938397. If using XP to connect the to the server the following patch may also be required 968730.
  • For more information regarding SHA2 and Windows from Microsoft. 
  • Additionally for SHA256 connections to be made, TLS1.2 may need to be enabled on the system. 
  • https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO25585
• another known problem is, when client has forbidden TLS 1.0 and client does not have support for TLS1.1 / TLS 1.2 (edf.eset.com supports only TLS, as others are considered insecure)
• last issue might be, how Windows updates are distributed. If access to ctdl.windowsupdate.com is blocked, however WSUS does not distribute actual list of trusted roots to clients. Or inccorect configuration of Public Key Policies is present on clients. 

We are working on improving the activation mechanism for the future versions to be less dependent on updated Windows OS, however the best practice would be to have all certs updated on the machines.

[katbert 3]

How about more detailed error description in activation task results?

 

Task failed, but problem with Eset certificate I can see only in sniffer results

[MichalJ 434]

More granular errors are one of the improvements we are going to do for future releases of our products.