11-04-2021 12:03 PM
It appears this bug still happens on both 7.0.0.1 and 7.0.1 for some websites.
Here is an example: https://www.northerncareers.ca
11-04-2021 12:31 PM - edited 11-04-2021 02:32 PM
It appears this site may be TLS 1.3 only. Is there a way to disable resign for TLS 1.3 sites until FTD supports this?
<edit>
After watching the back and forth, the server does downgrade to TLS 1.2 without an issue, but then the client sends an "Alert Fatal Decrypt Error"
11-04-2021 08:43 PM
After sifting through a lot of ssl logs, I finally stumbled across this.
Looks like there is a bug and it cannot generate the resigning certificate.
21/11/05 02:37:27.802 [23709:3971]xtls_base_processor.h:update_handshake_digest:192: [DEBUG]: 192.168.10.120 56389 -- 169.53.177.117 443 [SERVER_CERTIFICATE_PROCESSOR] S:s->c update handshake digest[original] length[4244]
21/11/05 02:37:27.802 [23709:3971]xtls_crypto.cc:update_handshake_digest:33: [TRACE]: 192.168.10.120 56389 -- 169.53.177.117 443 S:s->c Updating handshake digest with 4244 bytes
21/11/05 02:37:27.802 [23709:3971]xtls_certificate_processor.cc:process_decrypt_resign:263: [ERROR]: 192.168.10.120 56389 -- 169.53.177.117 443 failed to create resigned certificate
21/11/05 02:37:27.802 [23709:3971]xtls_certificate_processor.cc:process:86: [ERROR]: 192.168.10.120 56389 -- 169.53.177.117 443 failed to process certificate
21/11/05 02:37:27.802 [23709:3971]xtls_flow.cc:process_common_errors:432: [ERROR]: 192.168.10.120 56389 -- 169.53.177.117 443 F:s->c processing error [handshake_error] code [module [PKI_STORE] code [ENOENT] subcode [5]] verdict[DoNotDecrypt]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide