SSL inspection exclusion

[Sidorenko Andrey 0]

Hello.

I read  topic about StartCom and Wo-Sign Root CA https://www.scribd.com/document/325417135/Wo-Sign-and-Start-Com

After this i checked site with startcom certificate. Eset SSL inspection rewrite original certificate.  After disabling inspection on target url eset sill rewriting original certificate.

 

A there any ways to block root CA in Eset Smart security?

How to exclude some host from ssl inspection and certificate rewriting

[itman 1,659]

A there any ways to block root CA in Eset Smart security?

Prior to doing the below steps, you're going to have to export the intermediate root CA you wish to block to a file. Then when you get to step 4., you will select "File." Then select the file where you exported the root CA. Finally, select "block" as the action in step 5.

 

Your can also just set Wo-Sign and StartCom intermediate root CA certificates as "untrusted" using certmgr.msc. Of course, you will have to save the certifcates in a file and then import same as an untrusted publisher. The procedure to do this is here: hxxp://blogs.msmvps.com/alunj/2016/05/26/untrusting-the-blue-coat-intermediate-ca-from-windows/ . Note this was for a Bluecoat certificate but method is the same for any intermediate root CA certificate. -EDIT- Also Eset's SSL protocol scanning uses the Windows root CA certificate store for certificate validation. As such if your purpose is to block all web sites with certificates issued by Wo-Sign or Startcom, the only way to do so is using the certmgr.msc method when using SSL protocol scanning. Or, block each individual web site certificate using Eset's certificate exclusion feature.

 

Or, just wait. Apple has already blocked these intermediate root CA certificates. Hopefully, Microsoft will be doing the same shortly.  

 

Edited October 6, 2016 by itman

[Marcos 5,070]

You can switch SSL filtering to interactive mode, make an attempt to connect to a site you want to exclude and select "Exclude" when prompted for an action.