Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2975
Views
0
Helpful
15
Replies

WSA S190 SSL Configuration - can't open some web-resourses

Anton84
Level 1
Level 1

‎06-22-2020 06:20 AM

Hello all, we are using proxy S190, some sites can't open (example 220-volt.ru, onlinetrade.ru etc.)I think,  SSL Configuration is not correctly. Can anybody help me with that problem?

Labels:
Preview file
89 KB
0 Helpful
15 Replies 15

opryluts
Cisco Employee
Cisco Employee

‎06-22-2020 07:42 AM

Hi Anton,

 

I'd start troubleshooting that by checking:

1. Access Logs for transactions towards the failing servers. 

2. Proxy error logs/HTTPS logs for any error messages related to the destination. Enable debug log level temporary to see more details for the transactions.

 

If nothing has been found, I'd collect packet captures on WSA (both legs - client to WSA and WSA to the server at the same time). I'd be looking at TLS handshakes in captures:

1. if any alerts/errors reported

2. what are protocol versions and cipher suits and if they match from both sides

3. any certificate related issues

 

Also to better understand the problem I'd like to know:

1. WSA version 

2. Is HTTPS proxy enabled? Is HTTPS decryption enabled for those specific destinations?

3. How does the issue look from the user perspective? Any error messages displayed in the browser?

 

 

0 Helpful

Anton84
Level 1
Level 1
In response to opryluts

‎06-22-2020 11:32 PM

I see in https -log that, when trying to open onlinetrade.ru:

 

Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Subject Key Identifier: 56:B5:6A:93:3B:B9:0D:10:21:07:43:8E:FA:00:41:EE:EC:75:CD:C3 for Cert: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.onlinetrade.ru
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Subject Key Identifier: 53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB for Cert: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Subject Key Identifier: 8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1 for Cert: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Subject Key Identifier: AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A for Cert: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Error Bitmap is - 00000000 00000000 0
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Generating long serial-number for expired certificate.
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Certificate sha256 fingerprint is - 0x96E31336990C7E64FF723774A78FF5BC2722977836583CC4A4A84BDC67990650
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : New serial computed is 0x96E31336990C7E64FF723774A78FF5BC2722977836583CC4A4A84BDC6799065058304C12
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : SSLVersionCallback: Invalid SSL version 0
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : New Session negotiated with SSL client
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL
Tue Jun 23 10:06:20 2020 Debug: HTTPS : - : Verify Cert Callback error - code = 3 : unable to get certificate CRL

0 Helpful

opryluts
Cisco Employee
Cisco Employee
In response to Anton84

‎06-23-2020 12:44 AM

Hi Anton,

Thanks for the logs.

 

Seems the issue is caused by cross-signed certs in the chain and recently expired Add-Trust certificate. More details are here https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

 

Please check the version of the trusted cert bundle on the WSA (GUI -> Network -> Certificate Management) - version 1.7 should have the fix for the issue. If it is lower than 1.7 please try updating it.

 

0 Helpful

Anton84
Level 1
Level 1
In response to opryluts

‎06-23-2020 04:56 AM

Thanks for your answer, I see 1.7 version, but stange that status is "updates in progress"

 

Preview file
87 KB
0 Helpful

opryluts
Cisco Employee
Cisco Employee
In response to Anton84

‎06-23-2020 05:08 AM - edited ‎06-23-2020 05:09 AM

Hi Anton,

Please grep updater logs for the "trusted_root" keyword and check if any error messages displayed.

 

Also you can try restarting updater service by CLI -> diagnostic -> services -> updater -> restart command.

0 Helpful

Anton84
Level 1
Level 1
In response to opryluts

‎06-23-2020 05:59 AM

when i click to update, i see in logs:

 

Tue Jun 23 16:12:50 2020 Info: Starting scheduled update
Tue Jun 23 16:12:51 2020 Info: Scheduled next update to occur at Tue Jun 23 16:17:51 2020
Tue Jun 23 16:15:45 2020 Info: Scheduled next wbrs update to occur at Tue Jun 23 16:20:45 2020
Tue Jun 23 16:17:51 2020 Info: Starting scheduled update
Tue Jun 23 16:17:56 2020 Info: Scheduled next update to occur at Tue Jun 23 16:22:56 2020
Tue Jun 23 16:20:45 2020 Info: Scheduled next wbrs update to occur at Tue Jun 23 16:25:45 2020
Tue Jun 23 16:22:56 2020 Info: Starting scheduled update
Tue Jun 23 16:22:58 2020 Info: Scheduled next update to occur at Tue Jun 23 16:27:58 2020
Tue Jun 23 16:23:14 2020 Info: Received remote command to signal a manual update
Tue Jun 23 16:23:14 2020 Info: Starting manual update
Tue Jun 23 16:23:15 2020 Info: Scheduled next update to occur at Tue Jun 23 16:28:15 2020
Tue Jun 23 16:25:45 2020 Info: Scheduled next wbrs update to occur at Tue Jun 23 16:30:45 2020
Tue Jun 23 16:28:15 2020 Info: Starting scheduled update
Tue Jun 23 16:28:16 2020 Info: Scheduled next update to occur at Tue Jun 23 16:33:16 2020

 

If i grep "trusted_root" in log, i see old logs:

Mon Jun 1 23:02:27 2020 Info: trusted_root applying file "trusted_root/1.0.0/trustedca.pem/default/1583495981"
Mon Jun 1 23:02:44 2020 Info: trusted_root verifying applied files
Mon Jun 1 23:02:44 2020 Info: trusted_root updating the client manifest
Mon Jun 1 23:02:44 2020 Info: trusted_root update completed
Mon Jun 1 23:02:44 2020 Info: trusted_root waiting for new updates
Thu Jun 4 02:46:41 2020 Info: trusted_root updater shutdown complete
Thu Jun 4 02:46:41 2020 Info: trusted_root waiting for new updates
Fri Jun 5 12:32:52 2020 Info: trusted_root updater shutdown complete
Fri Jun 5 12:32:52 2020 Info: trusted_root waiting for new updates
Fri Jun 5 16:53:10 2020 Info: trusted_root updater shutdown complete
Fri Jun 5 16:53:10 2020 Info: trusted_root waiting for new updates
Wed Jun 10 17:38:19 2020 Info: trusted_root updater shutdown complete
Wed Jun 10 17:38:19 2020 Info: trusted_root waiting for new updates

 

by CLI - > diagnostic I dont have any services:

 

diagnostic


Choose the operation you want to perform:
- NET - Network Diagnostic Utility.
- PROXY - Proxy Debugging Utility.
- REPORTING - Reporting Utilities.

 

 

 

0 Helpful

opryluts
Cisco Employee
Cisco Employee
In response to Anton84

‎06-23-2020 06:26 AM

Thanks Anton,

 

Those lines indicate that the trust cert bundle has been downloaded:

Mon Jun 1 23:02:27 2020 Info: trusted_root applying file "trusted_root/1.0.0/trustedca.pem/default/1583495981"
Mon Jun 1 23:02:44 2020 Info: trusted_root verifying applied files
Mon Jun 1 23:02:44 2020 Info: trusted_root updating the client manifest
Mon Jun 1 23:02:44 2020 Info: trusted_root update completed
Mon Jun 1 23:02:44 2020 Info: trusted_root waiting for new updates

Might be it was not properly applied to the proxy services since still GUI reports that update is in progress. You can try rebooting the box out of production hours and see if that helps.

0 Helpful

Anton84
Level 1
Level 1
In response to opryluts

‎06-28-2020 10:17 PM

Unfortunately after reboot i look the same picture.

 

Preview file
70 KB
0 Helpful

Anton84
Level 1
Level 1
In response to Anton84

‎06-28-2020 10:54 PM - edited ‎06-29-2020 01:30 AM

maybe blocked certs can prevent to open sites

Preview file
64 KB
0 Helpful

opryluts
Cisco Employee
Cisco Employee
In response to Anton84

‎06-29-2020 02:03 AM

Hi Anton,

 

Thank you for the update.

 

I don't see any cert from the chain in the block list. Let's start from the beginning - what AsyncOS version is your WSA running? 

0 Helpful

Anton84
Level 1
Level 1
In response to opryluts

‎06-30-2020 01:10 AM

Version: 11.5.1-124

0 Helpful

opryluts
Cisco Employee
Cisco Employee
In response to Anton84

‎06-30-2020 06:28 AM

Thank you, that version supports cross-signed certificates. 

 

Could you please describe how does the issue look from users perspective? What do they see in the browser window when accessing those sites? Any error messages or a blank screen? 

 

Also what do you see in access logs for those failing transactions?

0 Helpful

Anton84
Level 1
Level 1
In response to opryluts

‎07-02-2020 06:55 AM

On all sites I see the same java-scrypt

Preview file
369 KB
0 Helpful

opryluts
Cisco Employee
Cisco Employee
In response to Anton84

‎07-09-2020 01:11 AM

Hi Anton,

 

Thanks for the inputs.

 

Seems I see the same behaviour in my lab. I'll dig into the issue...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents