Internet Related/Filtering/Firewall Thread, Security certificate error in Technical; I have just finished a new Win7 install for our new CAD/CAM suite. When I log in with my student ...
27th March 2012, 03:47 PM #1
Security certificate error
I have just finished a new Win7 install for our new CAD/CAM suite. When I log in with my student test account,
I get a Security Alert saying "revocation information for the security certificate for this site is not available"
Issued to "javadl-esd.secure.oracle.com"
Issued by "smoothwall.domain.local"
A quick google gave hints to proxy settings but they are correct and manually configured and "automatically detect proxy" is unchecked.
Anyone got any ideas?
27th March 2012, 04:39 PM #2
Are you using HTTPS interception? We get the same error if we turn HTTPS interception on, and Smoothwall claim no-one else has reported it to them, so please raise a ticket if this is the case!
27th March 2012, 04:42 PM #3
Yes we are using HTTPS interception.
Originally Posted by AngryTechnician
I was sure this was related to smoothwall in some way or another but there are so many threads on the Internet on the subject with no real fix.
29th March 2012, 11:05 AM #4
I funny one this... I've seen it at home (Win7 64) following a recent Java update, but I don't (shh, don't tell anyone!) have a Smoothie at home.
Aunty Google suggests this is a UserTrust issued cert, but I haven't confirmed that. If so, the revocation information that the error pertains to will come from crl.usertust.com or ocsp.usertrust.com. These shouldn't be hampered by Smoothwall (they're in the SSL/CRL category) and likewise they shouldn't to be dead or unavailable as it's a reputable CA.
I wonder if there's something else going on, perhaps Java's certificate itself is bungled in the update?
29th March 2012, 11:18 AM #5
If the error is being reported as Issued by "smoothwall.domain.local" as the OP noted, will it not be looking for a CRL from the Smoothwall issuer, not the original issuer?
29th March 2012, 01:52 PM #6
Setting aside revocation, having your smoothie perform interception may be giving Java problems.
I don't know what CA store Java references, but if it does not trust the Smoothwall CA cert then it could fail on that basis. Java may well share the Windows CA store - but software update processes often use their own list, or a self-signed certificate for which the software updater already has the public key.
The way you can rule this out is to add a 'Do not inspect' rule to your HTTPS policy which will skip certificate checking and interception for these domains. That way your Smoothwall will not involve itself in the encrypted conversation.
See how it goes if you add 'secure.oracle.com' into such a policy?
My worry is that I have witnessed this same error at home - independently of any fancy networking.
29th March 2012, 06:55 PM #7
I should add that the message doesn't appear on the admin account.
I'll try disabling interception and see of it makes a difference.
24th April 2013, 05:00 PM #8
Hi guys, I am getting this on W7 and XP machines, did that work for you Gaz?
24th April 2013, 05:07 PM #9
The message hasnt appeared in quite a while and I'm not sure what the cause or solution was if I did anything at all it was to add an HTTPS exception (do not inspect) in Smoothwall for secure.oracle.com
24th April 2013, 05:22 PM #10
I was having certificate revocation issues in the beginning of the school year. We're using Squid 3.2, no HTTPS interception, and Kerberos authentication to get out. It turned out in the proxy logs the revocation connections were being swatted down because user credentials weren't included in the connection request. To get around it I added the most common certificate authority domains to an authorization bypass ACL.
24th April 2013, 05:24 PM #11
I wonder if adding an authentication exception would also do the same job?
24th April 2013, 05:52 PM #12
Check your proxy logs. I don't know what the logging looks like on a Smoothwall box, but if you're doing it from the command line use something like this:
Originally Posted by Gaz
tail -f /var/log/squid3/access.log | grep xxx.xxx.xxx.xxx
You'll most likely need root access to do this and replace xxx with the IP address of the machine you're browsing from. You should see a connection request to the domain of the certificate authority scroll past with a 407 error missing a username and immediately be followed up another request to the same domain only containing the username this time. If you don't see that follow up request then add the CA domain to an authentication bypass ACL.
24th April 2013, 05:58 PM #13
Its fine for me but I assume the error is appearing because Java wants to check for an update and it does this to secure.oracle.com so if there was an authentication exception then it would just go straight through the filter. Just like adding a do not inspect rule for HTTPS
My question was merely academic.
24th April 2013, 06:13 PM #14
Don't suppose you fancy posting those do you? Adding them to my bypass filtering/authentication rules has been on my list of things to do for a few months now, and having a pre-seeded list would really help.
Originally Posted by Duke5A
24th April 2013, 06:20 PM #15
For a Smoothwall user, yes it would.
Originally Posted by Gaz
Within 'Web Proxy > Authentication > Exception' you could add the category 'SSL /CRL' which includes the relevant CRL and OCSP servers.
... in fact, that's part of the new (March '13) example policies for a new installation.
By andy_nic in forum Windows 7
Last Post: 20th March 2011, 01:05 PM
By burgemaster in forum Windows 7
Last Post: 21st January 2010, 04:38 PM
By bertster in forum Windows
Last Post: 15th September 2009, 12:41 PM
By Zoom7000 in forum Thin Client and Virtual Machines
Last Post: 15th October 2008, 04:00 PM
By DaveP in forum How do you do....it?
Last Post: 25th October 2007, 02:15 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)