11-24-2020 08:14 AM
Hello, I am wondering if anyone has tested the SSL Decrypt-resign function for DPI on their endpoints in 6.7? We are experiencing an odd behavior across multiple browsers using Win10 1809 that when you first load a web page you get a certificate error: NET::ERR_CERT_AUTHORITY_INVALID. After you refresh the page, however, the certificate message goes away. If I close and reopen Chrome, and try the same webpages that previously failed, I don't get any warning message. If I look at the certificate properties within Chrome, it shows my FTD as the "Issued by" which is the default or normal behavior.
11-24-2020 09:55 PM
11-30-2020 07:55 AM
I looked at the SAN in the certificate properties window and it does match. It's the same behavior every time. If I go to newsite.com, I will get the error message on the very first time I try to load that page. Afterwards, any time I try to go to newsite.com, I never see any certificate errors. Even if I open a new browser and go to newsite.com, I don't get the error message. Its only the very first time I try and go to a new SSL protected website. This behavior did not happen in 6.4, 6.6 for us but started in 6.7. We had to go to 6.7 due to a bug in 6.6.1. If my traffic was taking a different path randomly, you would expect to see the certificate error at those random times it fails. But it is not that behavior. The sites and SSL decrypt policy work after the initial failure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide