Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1914
Views
0
Helpful
5
Replies

WSA : getting ERR_CERT_WEAK_SIGNATURE_ALGORITHM on google chrome and microsoft edge, wsa decryption policy

Go to solution
Ismael10
Level 1
Level 1

‎01-17-2021 05:12 AM

Hello All,

 

I'm geeting the following error ERR_CERT_WEAK_SIGNATURE_ALGORITHM when trying to reach HTTPS website.

 

Conditions : 

 

- Cisco WSA version : AsyncOS 11.5.1 build 125

- CA AD private root CA : Signature Hash Algorithm SHA256

- Https proxy : Decrypt All

- Access policies : Block

 

thank you in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ismael10
Level 1
Level 1

‎01-18-2021 04:53 AM

Hi Balaji,

 

thank you again for your feedback.

I found the solution, the issue is related to signature algorithm version, the AD issue a cert with a SHA-1. 

We change the version to SHA-256 in Cert Template from AD, reissue the cert using a new CSR (WSA).

Everything is working fine now.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-17-2021 07:15 AM

Can you post the Logs while accessing the site to look at the full Log for the request?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Ismael10
Level 1
Level 1

‎01-17-2021 04:56 PM

Hi Baladji,

 

thank you for your response!

Find attached the log output of the request.

 

thank you!

Preview file
998 KB
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-18-2021 03:23 AM

Is this new setup or working one failing  - if new setup, re-visit htpts decryption config.

 

SSLVersionCallback: Invalid SSL version 0  - i see this error, worth looking below thread - make sure you followed correct steps for the Cert and other stuff

 

https://community.cisco.com/t5/web-security/wsa-s190-ssl-configuration-can-t-open-some-web-resourses/m-p/4107325

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Ismael10
Level 1
Level 1

‎01-18-2021 04:53 AM

Hi Balaji,

 

thank you again for your feedback.

I found the solution, the issue is related to signature algorithm version, the AD issue a cert with a SHA-1. 

We change the version to SHA-256 in Cert Template from AD, reissue the cert using a new CSR (WSA).

Everything is working fine now.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-18-2021 04:58 AM

Glad all working for you, we mark as resolve  and  it will benift for other community users.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents