+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Internet Related/Filtering/Firewall Thread, Security certificate error in Technical; I have just finished a new Win7 install for our new CAD/CAM suite. When I log in with my student ...
  1. #1
    Gaz
    Gaz is offline

    Join Date
    Feb 2011
    Location
    Preston
    Posts
    800
    Thank Post
    138
    Thanked 67 Times in 59 Posts
    Rep Power
    20

    Security certificate error

    I have just finished a new Win7 install for our new CAD/CAM suite. When I log in with my student test account,
    I get a Security Alert saying "revocation information for the security certificate for this site is not available"
    Issued to "javadl-esd.secure.oracle.com"
    Issued by "smoothwall.domain.local"

    A quick google gave hints to proxy settings but they are correct and manually configured and "automatically detect proxy" is unchecked.

    Anyone got any ideas?

  2. #2

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    Are you using HTTPS interception? We get the same error if we turn HTTPS interception on, and Smoothwall claim no-one else has reported it to them, so please raise a ticket if this is the case!

  3. #3
    Gaz
    Gaz is offline

    Join Date
    Feb 2011
    Location
    Preston
    Posts
    800
    Thank Post
    138
    Thanked 67 Times in 59 Posts
    Rep Power
    20
    Quote Originally Posted by AngryTechnician View Post
    Are you using HTTPS interception? We get the same error if we turn HTTPS interception on, and Smoothwall claim no-one else has reported it to them, so please raise a ticket if this is the case!
    Yes we are using HTTPS interception.

    I was sure this was related to smoothwall in some way or another but there are so many threads on the Internet on the subject with no real fix.

  4. #4


    Join Date
    Sep 2009
    Location
    Yorkshire
    Posts
    206
    Thank Post
    64
    Thanked 69 Times in 45 Posts
    Rep Power
    23
    I funny one this... I've seen it at home (Win7 64) following a recent Java update, but I don't (shh, don't tell anyone!) have a Smoothie at home.

    Aunty Google suggests this is a UserTrust issued cert, but I haven't confirmed that. If so, the revocation information that the error pertains to will come from crl.usertust.com or ocsp.usertrust.com. These shouldn't be hampered by Smoothwall (they're in the SSL/CRL category) and likewise they shouldn't to be dead or unavailable as it's a reputable CA.
    I wonder if there's something else going on, perhaps Java's certificate itself is bungled in the update?

  5. #5

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    If the error is being reported as Issued by "smoothwall.domain.local" as the OP noted, will it not be looking for a CRL from the Smoothwall issuer, not the original issuer?

  6. #6


    Join Date
    Sep 2009
    Location
    Yorkshire
    Posts
    206
    Thank Post
    64
    Thanked 69 Times in 45 Posts
    Rep Power
    23
    Setting aside revocation, having your smoothie perform interception may be giving Java problems.
    I don't know what CA store Java references, but if it does not trust the Smoothwall CA cert then it could fail on that basis. Java may well share the Windows CA store - but software update processes often use their own list, or a self-signed certificate for which the software updater already has the public key.
    The way you can rule this out is to add a 'Do not inspect' rule to your HTTPS policy which will skip certificate checking and interception for these domains. That way your Smoothwall will not involve itself in the encrypted conversation.

    See how it goes if you add 'secure.oracle.com' into such a policy?

    My worry is that I have witnessed this same error at home - independently of any fancy networking.

  7. #7
    Gaz
    Gaz is offline

    Join Date
    Feb 2011
    Location
    Preston
    Posts
    800
    Thank Post
    138
    Thanked 67 Times in 59 Posts
    Rep Power
    20
    I should add that the message doesn't appear on the admin account.
    I'll try disabling interception and see of it makes a difference.

  8. #8
    Fox
    Fox is offline
    Fox's Avatar
    Join Date
    Nov 2010
    Location
    UK
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi guys, I am getting this on W7 and XP machines, did that work for you Gaz?

  9. #9
    Gaz
    Gaz is offline

    Join Date
    Feb 2011
    Location
    Preston
    Posts
    800
    Thank Post
    138
    Thanked 67 Times in 59 Posts
    Rep Power
    20
    The message hasnt appeared in quite a while and I'm not sure what the cause or solution was if I did anything at all it was to add an HTTPS exception (do not inspect) in Smoothwall for secure.oracle.com

  10. Thanks to Gaz from:

    nile_c (24th April 2013)

  11. #10
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    805
    Thank Post
    82
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32
    I was having certificate revocation issues in the beginning of the school year. We're using Squid 3.2, no HTTPS interception, and Kerberos authentication to get out. It turned out in the proxy logs the revocation connections were being swatted down because user credentials weren't included in the connection request. To get around it I added the most common certificate authority domains to an authorization bypass ACL.

  12. #11
    Gaz
    Gaz is offline

    Join Date
    Feb 2011
    Location
    Preston
    Posts
    800
    Thank Post
    138
    Thanked 67 Times in 59 Posts
    Rep Power
    20
    I wonder if adding an authentication exception would also do the same job?

  13. #12
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    805
    Thank Post
    82
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32
    Quote Originally Posted by Gaz View Post
    I wonder if adding an authentication exception would also do the same job?
    Check your proxy logs. I don't know what the logging looks like on a Smoothwall box, but if you're doing it from the command line use something like this:

    Code:
    tail -f /var/log/squid3/access.log | grep xxx.xxx.xxx.xxx

    You'll most likely need root access to do this and replace xxx with the IP address of the machine you're browsing from. You should see a connection request to the domain of the certificate authority scroll past with a 407 error missing a username and immediately be followed up another request to the same domain only containing the username this time. If you don't see that follow up request then add the CA domain to an authentication bypass ACL.

  14. #13
    Gaz
    Gaz is offline

    Join Date
    Feb 2011
    Location
    Preston
    Posts
    800
    Thank Post
    138
    Thanked 67 Times in 59 Posts
    Rep Power
    20
    Its fine for me but I assume the error is appearing because Java wants to check for an update and it does this to secure.oracle.com so if there was an authentication exception then it would just go straight through the filter. Just like adding a do not inspect rule for HTTPS
    My question was merely academic.

  15. #14

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,262
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Quote Originally Posted by Duke5A View Post
    I To get around it I added the most common certificate authority domains to an authorization bypass ACL.
    Don't suppose you fancy posting those do you? Adding them to my bypass filtering/authentication rules has been on my list of things to do for a few months now, and having a pre-seeded list would really help.

  16. #15


    Join Date
    Sep 2009
    Location
    Yorkshire
    Posts
    206
    Thank Post
    64
    Thanked 69 Times in 45 Posts
    Rep Power
    23
    Quote Originally Posted by Gaz View Post
    I wonder if adding an authentication exception would also do the same job?
    For a Smoothwall user, yes it would.

    Within 'Web Proxy > Authentication > Exception' you could add the category 'SSL /CRL' which includes the relevant CRL and OCSP servers.
    ... in fact, that's part of the new (March '13) example policies for a new installation.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Windows 7 64bit - https / certificate error !!!
    By burgemaster in forum Windows 7
    Replies: 9
    Last Post: 28th March 2014, 02:56 PM
  2. windows 7 certificates error
    By andy_nic in forum Windows 7
    Replies: 7
    Last Post: 20th March 2011, 12:05 PM
  3. Domain Controller Security Policy error
    By bertster in forum Windows
    Replies: 0
    Last Post: 15th September 2009, 11:41 AM
  4. VMWare Server 2 Certificate Error
    By Zoom7000 in forum Thin Client and Virtual Machines
    Replies: 3
    Last Post: 15th October 2008, 03:00 PM
  5. https:// Certificate Error: How Do We Eliminate It?
    By DaveP in forum How do you do....it?
    Replies: 9
    Last Post: 25th October 2007, 01:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •