Re: Broken SSL cert caused by router?

[Ray Soucy <rps () maine edu>]

It might be filtering the CRL or OCSP verification for the SSL
certificate.  For GoDaddy I think this would be:

http://crl.godaddy.com/
http://ocsp.godaddy.com/
http://certificates.godaddy.com/

We ran into this when OS X changed how it handles SSL a few years
back, our captive portal was presenting a splash page in place of
Thawte OCSP and crashing the SSL keychain process.  The work-around
was either to respond with a TCP RST for these requests or to allow
them through.

On Thu, Mar 26, 2015 at 11:57 PM, Lewis,Mitchell T.
<ml-nanog () techcompute net> wrote:
> Meraki Access Points are interesting devices.
>
> I have found they cause issues with Linux firewalls if the merakis are not configured "correctly".
>
> Meraki Access Points do content inspections which I have found can cause produce symptoms similar to yours, although 
> I have not experienced what you are describing. Since the MX64W is both an Access Point & security gateway, it has 
> some additional content inspection/intelligence for it's security appliance role on top of the functions it performs 
> as an access point, the same functions which are found in Meraki standalone access points as well.
>
> I am not sure what the specifics are as I do not use Meraki security appliances but it is worth checking. I have 
> found with Meraki that items in the control panel/dashboard are not always labeled the best so I have found it is 
> usually worth putting in a ticket with them and/or a call to them to see what they think (1-888-490-0918).
>
>
>
>
>
>
>
>
>
>
>
> Mitchell T. Lewis
> Mlewis () Techcompute Net
> : www.linkedin.com/in/mlewiscc
> Mobile: (203)816-0371
> PGP Fingerprint: 79F2A12BAC77827581C734212AFA805732A1394E Public PGP Key
>
>
>
>
> A computer will do what you tell it to do, but that may be much different from what you had in mind. ~Joseph 
> Weizenbaum
>
> ----- Original Message -----
>
> From: "Mike" <mike-nanog () tiedyenetworks com>
> To: nanog () nanog org
> Sent: Thursday, March 26, 2015 6:38:55 PM
> Subject: Broken SSL cert caused by router?
>
> Hi,
>
> I have a very odd problem.
>
> We've recently gotten a 'real' ssl certificate from godaddy to
> cover our domain (*.domain.com) and have installed it in several places
> where needed for email (imap/starttls and etc) and web. This works
> great, seems ok according to various online TLS certificate checkers,
> and I get the green lock when testing using my own browsers and such.
>
> I have a customer however that uses our web mail system now secured
> with ssl. I myself and many others use it and get the green lock. But,
> whenever any station at the customer tries using it, they get a broken
> lock and 'your connection is not private'. The actual error displayed
> below is 'cert_authority_invalid' and it's "Go Daddy Secure Certificate
> Authority - G2". And it gets worse - whenever I go to the location and
> use my own laptop, the very one that 'works' when at my office, I ALSO
> get the error. AND EVEN WORSE - when I connect to my cell phone provided
> hotspot, the error goes away!
>
> As weird as this all sounds, I got it nailed down to one device -
> they have a Cisco/Meraki MX64W as their internet gateway - and when I
> remove that device from the chain and go 'straight' out to the internet,
> suddenly, the certificate problem goes away entirely.
>
> How is this possible? Can anyone comment on these devices and tell
> me what might be going on here?
>
> Mike-



-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net