0
I'm browsing from behind a Firewall using this weird proxy server, which essentially acts like a man-in-the-middle and switches up the SSL certificate of the server with its own. So the certificates regard the site I'm after, but are supposedly issued by "FooBar inc." (that's the organization I'm in).
This means that essentially every single page which FF tries to get - it believes it encounters an error, about how the sufficient type in not set, and I get:
Warning: Potential Security Issue Ahead
etc. etc.
SECURITY_ERROR_UNKNOWN_ISSUER
I tried exporting the certificate and importing it, as suggested here - but this didn't work. Trying to import the .crt
I got a message saying that this was not a valid issuer.
What can I do?
Note: I'm using CentOS 8.
Try in
about:config
to setnetwork.stricttransportsecurity.preloadlist
to false. – harrymc – 2019-12-04T10:32:10.590I'll try that, but - what is it supposed to do, exactly? – einpoklum – 2019-12-04T11:47:05.867
If you use the PC on this network routinely, install the CA certficate of the UTM firewall in the "Trusted Root Certificate Authorities" in
CertMgr
in Windows, or to the CA store chain in Linux. A UTM firewall can be configured with either a CA that transparently scans and re-encrypts all TLS/SSL packets, or an ICA signed by the firewall's CA. If it's the latter, the ICA-CA chain cert will need to be added in Linux, and for Windows, the ICA would also need to be added to "Intermediate Certificate Authorities" inCertmgr
. – JW0914 – 2019-12-04T12:17:18.050@JW0914: Can you give a link to information on how to do that? Especially in Linux? – einpoklum – 2019-12-04T12:29:17.620
I would just google "<distro name> add CA to system CA store". You can determine whether the transparent proxy's cert is a CA or ICA by looking at the "Issuer" section of the cert details... if it's the firewall's CA, it will likely be self-signed, but if it's an ICA, there will be an Issuer in that section, and if this is the case, you'll likely need request from the IT dept the CA's cert in order to have the CoT [Chain of Trust] be complete. The first section will provide a general explanation of what's occurring with the traffic.
– JW0914 – 2019-12-04T12:41:47.700