-1

I recently ran into problems running an apple tv with netflix at my work. After some digging around our sonicwall firewall with one of their support techs we found the service being blocked by the certificate netflix was passing. Apparently the certificate Wasn't passing the "Detect Certificate signed by an Untrusted CA" so there using self signed or their certificate has the wrong name or whatever.

Has anyone seen netflix signing there own certs? seem odd that a public company would do that? The tech said the cert was missing the common name on it so maybe its just misconfigured. Would be interesting to hear your thoughts, I turned off the check and its working fine, but never had a problem with a big company with non compliant certs. Interestingly the problem doesn't arise on browsers running netflix in our office.

Well I reconstructed the certificate that were sent back and forth and there not self signed... But is there anything wrong with them? so my new question would be how do you check if a certificate is good or bad?

https://drive.google.com/open?id=0B0whF2PJIIWcSVg4MEJrc3liM1U https://drive.google.com/open?id=0B0whF2PJIIWcN2R0RHBYT2FGRm8

xtextedx
  • 1
  • 1
  • My first thought was that there must be a firewall between you and netflix, that breaks up the HTTPS encryption by providing it's own certificate before forwarding the requests to the actual server, in the process inspecting the packages for malicious code. The fact that one of the certs you provide is from symantec reinforces the suspicion. – Gerald Schneider Mar 30 '17 at 07:00
  • @GeraldSchneider Well, he _did_ mention the Sonicwall _by name_... – Michael Hampton Mar 30 '17 at 07:08
  • @MichaelHampton He also mentioned that he worked with one of Sonicwalls support tech. That's why I ruled that one out, expecting a second firewall behind it. – Gerald Schneider Mar 30 '17 at 07:11
  • We only have 1 firewall that is the sonicwall... I dumped the packets to pcap and then reconstructed the certs with network miner. As far as I know sonicwall does not do any man in the middle with certs itself to inspect packets. I talked to Netflix and they use Symantec certs .... – xtextedx Mar 30 '17 at 08:59
  • I just don't know why the sonicwall doesn't like these... The tech guys never actually tell you whether its a false positive or not... Which is the question is there any sites that can check a cert like you would check for valid HTML... Is it on a revocation list does the common name match or whatever checks are needed to see that a cert is trusted? – xtextedx Mar 30 '17 at 09:06
  • ssllabs.com is the site you want. – Jenny D Apr 03 '17 at 08:45

1 Answers1

0

so my new question would be how do you check if a certificate is good or bad?

I would check with openssl s_client:

$ openssl s_client -connect netflix.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = California, L = los gatos, O = "Netflix, Inc.", OU = Operations, CN = www.netflix.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=los gatos/O=Netflix, Inc./OU=Operations/CN=www.netflix.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3

Which basically says that from openssl's perspective (and assuming you have the 'typical' set of ca certificates, i.e. those pulled in by your OSes version of ca-certificates-mozilla), the Netflix cert is valid.

However, do note that Symantec is present in the trust chain, and there is currently some discussion about the validity of their certificates.

So in this case, whether the certificate is good or bad also depends on which CAs you currently consider trustworthy.

iwaseatenbyagrue
  • 3,588
  • 12
  • 22