Wrong "published to" at the certificate

webfilter
webproxy

(Michael Träumner) #1

NethServer Version: 7.5
Module: Proxy and Webfilter

Hi to all,
I tried to open the site de.pons.com and get a certificate error. It’s published to urlfilterdb.com, without proxy it’s published to pons.com. I’ts not filtered, after clicking more often at the yes or the no button I can use the the site.
I added the domain (de.pons.com) to domains without proxy, but it doesn’t change anything.
Has somebody another idea? Can somebody confirm this behavior?

Edit: Tested with leo, it’s the same problem and the same certificate:

certificate_error

The specified name on the security certificate is invalid or does not match the name of the site

Thanks in advance

Michael


(Giacomo Sanchietti) #2

I have the firewall configured in transparent mode with SSL and web content filter enabled but I can’t reproduce the problem.

Try to exclude a browser problem by querying the server via command line:

echo | openssl s_client -showcerts -servername gnupg.org -connect de.pons.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

The certificate for that site is from GoDaddy.com


(Michael Träumner) #3

Thanks for your answer. The output of your command is:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4065765234379907969 (0x386c7ff07758e381)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
        Validity
            Not Before: Nov 20 15:56:00 2017 GMT
            Not After : Jan 15 09:31:42 2020 GMT
        Subject: OU=Domain Control Validated, CN=*.pons.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cc:7a:0c:e8:fc:23:83:0c:c5:70:05:82:3e:58:
                    ef:2c:6d:43:b9:8c:e8:cb:21:37:6f:a7:4a:a4:27:
                    10:a0:05:b2:2a:e0:80:41:88:93:b6:6c:18:99:7c:
                    b6:4e:e4:b7:a6:38:84:91:81:d0:d4:0c:ca:07:be:
                    d1:f4:79:a8:13:35:73:ed:37:fa:22:32:73:df:00:
                    b7:b0:fa:5c:f4:84:00:3e:33:04:90:89:84:a2:95:
                    d5:83:b8:d9:3e:ef:e4:79:a0:a8:8c:b7:4f:e1:4a:
                    b7:7a:8d:ae:ba:d4:e4:84:f4:31:7c:79:65:ce:75:
                    7a:7b:2e:15:2d:f0:b0:3f:c8:26:c5:bb:9b:17:f8:
                    15:63:4e:9f:45:38:e2:8c:c4:25:f6:80:d3:8a:b2:
                    2b:a0:e1:d2:13:49:1c:24:06:8d:25:19:30:ae:ad:
                    92:1c:38:2c:81:9b:b2:74:a1:a7:c4:f6:dd:49:01:
                    5d:21:2c:a8:06:99:e6:a8:46:ee:d7:b5:61:1b:f8:
                    49:b3:bc:9e:ea:af:00:16:a7:f8:89:2b:a2:0b:93:
                    2a:87:d2:33:01:30:5d:30:d9:fa:14:6c:11:65:d9:
                    b3:c0:92:68:bf:d3:6f:22:2f:7d:91:3d:fa:36:31:
                    08:01:54:07:49:7f:ff:8f:96:a0:32:e9:0a:aa:59:
                    c9:cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.godaddy.com/gdig2s1-790.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1

            Authority Information Access:
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier:
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name:
                DNS:*.pons.com, DNS:pons.com
            X509v3 Subject Key Identifier:
                93:0D:14:12:5D:7E:08:A2:B2:CC:50:46:83:99:A1:A3:EF:0A:72:3C
    Signature Algorithm: sha256WithRSAEncryption
         13:f6:cd:cb:32:72:d9:a5:2a:ea:f7:db:50:a9:d5:1e:46:c1:
         7a:06:7c:e0:e9:4c:6e:f1:a4:70:35:99:f4:ce:9b:50:5f:c4:
         76:8f:40:8b:d7:8a:64:df:02:71:f0:8f:90:97:2f:2c:a7:aa:
         f5:03:17:27:3f:49:c1:cb:28:5e:a7:bd:bf:c0:a3:d8:ed:89:
         05:73:f6:33:b0:96:ca:ad:17:00:68:6e:30:90:1f:4c:34:ec:
         7b:a7:b5:57:7d:29:fd:db:96:16:bb:8f:0a:77:9a:48:35:71:
         9e:3e:47:7f:21:42:eb:52:df:fe:3f:5e:02:17:15:34:64:c0:
         71:d1:ee:0f:2d:90:69:38:ae:a0:35:a1:f2:06:7e:7b:3b:7a:
         33:a2:c0:c9:0f:11:b8:82:a3:8f:d6:9d:9a:1c:8f:b4:a5:e6:
         c6:5d:8a:7c:c3:40:b4:93:7c:0f:5b:ff:cc:c4:d9:27:b4:52:
         21:e4:85:64:52:69:86:d2:9d:87:f1:26:61:bd:3e:ba:31:9b:
         4d:22:6d:c0:37:c7:2c:ee:72:93:cc:7e:b8:ba:31:dd:9a:af:
         78:8e:15:12:88:35:86:ba:02:81:ee:a3:8c:a7:01:c2:6d:b4:
         9c:3e:82:be:68:2d:25:a7:ce:b4:0f:79:65:72:4b:03:aa:bd:
         05:ba:4d:5d

I configured the proxy in manual mode and if I click at the lock at the site I get the right one, only by opening the site or clicking somewhere the error message comes with the wrong certificate.


(Giacomo Sanchietti) #4

Then probably the site downloads external resources from blocked sites.


(Michael Träumner) #5

Thanks, I’ll have a look at the logs if I get which sites are the problem


(Michael Träumner) #6

Ok I found them.

2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv stats.g.doubleclick.net:443 CONNECT
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv securepubads.g.doubleclick.net:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv fastlane.rubiconproject.com:443 CONNECT
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv fastlane.rubiconproject.com:443 CONNECT
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv fastlane.rubiconproject.com:443 CONNECT
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv fastlane.rubiconproject.com:443 CONNECT
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv fastlane.rubiconproject.com:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv hbopenbid.pubmatic.com:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv ib.adnxs.com:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv adserver.adtech.de:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv adserver.adtech.de:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv adserver.adtech.de:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv adserver.adtech.de:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv adserver.adtech.de:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv ib.adnxs.com:443 CONNECT 
2018-08-02 08:50:45 [6763] BLOCK - 192.168.x.x default adv yieldlove-d.openx.net:443 CONNECT 
2018-08-02 08:50:46 [6763] BLOCK - 192.168.x.x default adv prg.smartadserver.com:443 CONNECT 
2018-08-02 08:50:46 [6763] BLOCK - 192.168.x.x default adv as-sec.casalemedia.com:443 CONNECT 
2018-08-02 08:50:46 [6763] BLOCK - 192.168.x.x default adv hb.adscale.de:443 CONNECT 
2018-08-02 08:50:46 [6763] BLOCK - 192.168.x.x default adv adx.adform.net:443 CONNECT 
2018-08-02 08:50:46 [6763] BLOCK - 192.168.x.x default adv c.amazon-adsystem.com:443 CONNECT 
2018-08-02 08:50:46 [6763] BLOCK - 192.168.x.x default adv stats.g.doubleclick.net:443 CONNECT 
2018-08-02 08:50:46 [6763] BLOCK - 192.168.x.x default adv stats.g.doubleclick.net:443 CONNECT 

My next problem is that they are blocked after whitelisting them. I cleared the internetcache and did a ipconfig /flushdns

For the full list please click the photo.

Edit: disable the adv category works, but it would be nice if you can use the sites without the ads and without clicking more times at a certificate warning. We can’t work at the transparent mode, because a banking site we need don’t work in transparent mode.


(Giacomo Sanchietti) #7

I will try to reproduce it next week.

But in the meanwhile maybe @davide_marini could have some hints.


(Giacomo Sanchietti) #8

Sorry but I can’t reproduce it.
Does anyone have the same behavior?