Unknown CA errors accessing HTTPS sites message on SSL Visibility Appliance

book

Article ID: 168251

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

You see "Unknown CA errors accessing HTTPS sites" on the SSL Visibility Appliance. For example :

    Error
    Message: Alert[C]: unknown CA
    Subsystem: 0x3
    Component: 0x2
    Code: 0x72
    Subcode: 0x000
    Messages
    CLIENT_ALERT
    CLIENT_HELLO
    SERVER_HELLO
    SERVER_CERTIFICATE
    SERVER_KEY_EXCHANGE
    SERVER_HELLO_DONE
    CLIENT_KEY_EXCHANGE
    CLIENT_CHANGE_CIPHER_SPEC
    CLIENT_FINISHED
    HANDSHAKE_OTHER
    Flags
    FLOW_INITIALIZED
    C2S_SYNCED
    S2C_SYNCED
    CUT_APPLIED
    FULL_HANDSHAKE
    POLICY_DECISION_MADE
    DECRYPT_STARTED
    CERTIFICATE_MODIFIED
    RECRYPT_ENFORCED
    CLIENT_HELLO_SESSTKT
    SERVER_HELLO_SESSTKT
    DH_PUB_VALUE_READY
    HANDSHAKE_MODIFIED
    SESSION_LOG_ENABLED
    SESSION_LOGGED
    ASYNC_OP_USED
    ACTIVE_FEEDBACK_MODE
    NFP_FLOW_UPDATE_APPLIED
    CLIENT_HELLO_SERVER_NAME
    KEY_MATERIAL_GENERATED
    MASTER_KEY_C2S_VALID
    MASTER_KEY_S2C_VALID
    FIRST_CCS_PROCESSED
    EOF_PROCESSED
    PARTIAL_EOF_SEEN
    CH_PROCESSED
    SSL_CONFIRMED
    SSL_INTERCEPT
    PLAINTEXT_INITIALIZED
    Rule Matched Index
    1
    Server Name Indication
    accounts.google.com
    Subject
    Common Name: accounts.google.com
    Organization: Google Inc
    Issuer
    Common Name: Google Internet Authority G2
    Organization: Google Inc
    Serial Number
    xx:xx:xx:xx:xx:xx:xx:xx
    Valid From
    Sep 10 13:23:52 2014 GMT
    Valid To
    Dec 9 00:00:00 2014 GMT
    SHA-1 Certificate Fingerprint
    xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
    SHA-1 Public Key Fingerprint
    xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
    Subject Alt Name DNS/IP
    accounts.google.com


 

Cause

This message is actually coming from the client.

It can be reproduced by using Mozilla browser. For example.
  1. Remove trust for the SSL Visibility Appliance's resigning CA.
  2. When you get the "if you want to trust this site" warning, click "Get me out of here!".

Resolution

Ensure that the SSL Visibility Appliance's CA is trusted on the client.