Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
119
Views
0
Helpful
5
Replies

Secure Web Gateway - 516 Upstream Certificate CN Mismatch (Umbrella)

kbull
Level 1
Level 1

‎07-11-2024 10:40 AM

The certificate errors related to 516 Upstream Certificate CN Mismatch are becoming very problematic for our company. Marketing emails are particularly problematic, and this is disruptive to our staff when trying to sign up for webinars and other "normal" activities. 

I can't believe Cisco Umbrella is okay with such a disruptive and non-productive workflow. Users don't even get the normal block screen allowing them to request access to the blocked page. 

Are there any plans to give administrators the control to allow users to bypass these warnings or a more user-friendly way of dealing with this issue? 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎07-11-2024 10:52 AM

@kbull it sounds like you using SSL decryption with Umbrella, in which case you must import the Umbrella root certificate to your computers, so they trust the Umbrella certificate.

https://docs.umbrella.com/deployment-umbrella/docs/enable-ssl-decryption

 

0 Helpful

Ken Stieers
VIP
VIP
In response to Rob Ingram

‎07-11-2024 11:01 AM

This is nor the problem he's having.

What happens is that the URL is for company.com, but the server serving it is run by the bulk mailer, with their cert on it (e.g. sendgrid.com) So there is a cert/url mismatch.

Happens with a bunch of different services, like Sendgrid, Mailchimp, etc.

The company sending via needs to fix it... documented fixes exist.

As a workaround you can look at not decrypting for companies you have this issue with.
0 Helpful

Rob Ingram
VIP
VIP
In response to Ken Stieers

‎07-11-2024 11:11 AM

thanks, good to know.

0 Helpful

kbull
Level 1
Level 1
In response to Ken Stieers

‎07-11-2024 11:16 AM

Ken, you are correct that documented fixes exist, but getting companies to fix this is not easy or even feasible in many cases. For example, Home Depot's emails with order tracking links were breaking with this 516 Upstream error.
The other challenge is that there is no easy reporting for end users like a normal blocked page warning. Our staff aren't telling us about blocked pages until they get really frustrated or a block prevents them from doing their job, which is certainly not a good end-user experience. This will also start pushing staff to use personal devices over corporate devices, which, again, is not ideal. 

0 Helpful

kbull
Level 1
Level 1
In response to Rob Ingram

‎07-11-2024 11:18 AM

We are using SSL decryption, and we have the Umbrella root certificate deployed otherwise, every site would break. The issue I am speaking of is documented here: Error 516 Upstream Certificate CN Mismatch – Cisco Umbrella

0 Helpful
Customers Also Viewed These Support Documents