Debugging Website Blocked due to SSL ERROR ( Understanding the Root Cause of the SSL Error )
Posted: Wed Apr 22, 2020 12:24 pm
Hello all,
In this Post, I will be explaining the root cause of the SSL related block.
Note: SSL Error will occur if SSL Inspection is Enabled in SafeSquid-SWG.
--------------------------------------
Short & Quick Answer
--------------------------------------
When it comes to SSL BASED connection Safesquid will do the SSL VERIFICATION check for all the HTTPS Site.
If any Website fails this SSL Check then that website is blocked with the SSL Verification error.
-----------------------------------
In Detailed Answer
-----------------------------------
SafeSquid inbuilt does alot of verification and validation.
When a request is made to an remote https site via SafeSquid-SWG,
Note: Making sure that SSL inspection is enabled in SafeSquid-SWG.
SafeSquid will first create a connection to the remote server and do the SSL Negotiation.
In this SSL Negotiation,
SafeSquid will send SNI(Optional), Cryptographic Functions Supported, and APN plus few more SSL params.
And the Server will respond with the accepted Cryptographic Function, Server SSL Certificate with The SSL Certificate Chain plus few more SSL params.
When SafeSquid-SWG receives the server SSL certificate and the SSL Certificate Chain it will start doing the SSL Verification and Validation.
Which includes checking:
1. DOMAIN NAME MATCH WITH WEB REQUEST HOST
Matching the Requested website name in the Subject Name & In the SAN ( Subject Alternative Name ) for wildcard as well
If it does not matches then SafeSquid will discard the SSL connection and send Block template to the user with the Error Message as
X 509 DNS MISMATCH ERROR
**** Attachment Left to Add
2. SSL CERTIFICATE CHAIN VALIDATION
In this validation, SafeSquid will first check the Issued By and the whole SSL Chain in the hierarchy .
Details about SSL certificate chain can be found in the below link:
When this Validation fails SafeSquid will discard the SSL connection and send Block template to the user with the Error Message as
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
**** Attachment Left to Add
Note: there are two reason why client is displayed with this message
1. The Server does not send the SSL CERTIFICATE CHAIN or send the incorrect / incomplete chain
2. If the Intermediate Root Certificate is not present in the SafeSquid's SSL stack.
In this Post, I will be explaining the root cause of the SSL related block.
Note: SSL Error will occur if SSL Inspection is Enabled in SafeSquid-SWG.
--------------------------------------
Short & Quick Answer
--------------------------------------
When it comes to SSL BASED connection Safesquid will do the SSL VERIFICATION check for all the HTTPS Site.
If any Website fails this SSL Check then that website is blocked with the SSL Verification error.
-----------------------------------
In Detailed Answer
-----------------------------------
SafeSquid inbuilt does alot of verification and validation.
When a request is made to an remote https site via SafeSquid-SWG,
Note: Making sure that SSL inspection is enabled in SafeSquid-SWG.
SafeSquid will first create a connection to the remote server and do the SSL Negotiation.
In this SSL Negotiation,
SafeSquid will send SNI(Optional), Cryptographic Functions Supported, and APN plus few more SSL params.
And the Server will respond with the accepted Cryptographic Function, Server SSL Certificate with The SSL Certificate Chain plus few more SSL params.
When SafeSquid-SWG receives the server SSL certificate and the SSL Certificate Chain it will start doing the SSL Verification and Validation.
Which includes checking:
1. DOMAIN NAME MATCH WITH WEB REQUEST HOST
Matching the Requested website name in the Subject Name & In the SAN ( Subject Alternative Name ) for wildcard as well
If it does not matches then SafeSquid will discard the SSL connection and send Block template to the user with the Error Message as
X 509 DNS MISMATCH ERROR
**** Attachment Left to Add
2. SSL CERTIFICATE CHAIN VALIDATION
In this validation, SafeSquid will first check the Issued By and the whole SSL Chain in the hierarchy .
Details about SSL certificate chain can be found in the below link:
When this Validation fails SafeSquid will discard the SSL connection and send Block template to the user with the Error Message as
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
**** Attachment Left to Add
Note: there are two reason why client is displayed with this message
1. The Server does not send the SSL CERTIFICATE CHAIN or send the incorrect / incomplete chain
2. If the Intermediate Root Certificate is not present in the SafeSquid's SSL stack.