Unknown CA errors accessing HTTPS sites message on SSL Visibility Appliance
Article ID: 168251
Updated On:
Products
SSL Visibility Appliance Software
Issue/Introduction
You see "Unknown CA errors accessing HTTPS sites" on the SSL Visibility Appliance. For example :
Error
Message: Alert[C]: unknown CA
Subsystem: 0x3
Component: 0x2
Code: 0x72
Subcode: 0x000
Messages
CLIENT_ALERT
CLIENT_HELLO
SERVER_HELLO
SERVER_CERTIFICATE
SERVER_KEY_EXCHANGE
SERVER_HELLO_DONE
CLIENT_KEY_EXCHANGE
CLIENT_CHANGE_CIPHER_SPEC
CLIENT_FINISHED
HANDSHAKE_OTHER
Flags
FLOW_INITIALIZED
C2S_SYNCED
S2C_SYNCED
CUT_APPLIED
FULL_HANDSHAKE
POLICY_DECISION_MADE
DECRYPT_STARTED
CERTIFICATE_MODIFIED
RECRYPT_ENFORCED
CLIENT_HELLO_SESSTKT
SERVER_HELLO_SESSTKT
DH_PUB_VALUE_READY
HANDSHAKE_MODIFIED
SESSION_LOG_ENABLED
SESSION_LOGGED
ASYNC_OP_USED
ACTIVE_FEEDBACK_MODE
NFP_FLOW_UPDATE_APPLIED
CLIENT_HELLO_SERVER_NAME
KEY_MATERIAL_GENERATED
MASTER_KEY_C2S_VALID
MASTER_KEY_S2C_VALID
FIRST_CCS_PROCESSED
EOF_PROCESSED
PARTIAL_EOF_SEEN
CH_PROCESSED
SSL_CONFIRMED
SSL_INTERCEPT
PLAINTEXT_INITIALIZED
Rule Matched Index
1
Server Name Indication
accounts.google.com
Subject
Common Name: accounts.google.com
Organization: Google Inc
Issuer
Common Name: Google Internet Authority G2
Organization: Google Inc
Serial Number
xx:xx:xx:xx:xx:xx:xx:xx
Valid From
Sep 10 13:23:52 2014 GMT
Valid To
Dec 9 00:00:00 2014 GMT
SHA-1 Certificate Fingerprint
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
SHA-1 Public Key Fingerprint
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Subject Alt Name DNS/IP
accounts.google.com
Error
Message: Alert[C]: unknown CA
Subsystem: 0x3
Component: 0x2
Code: 0x72
Subcode: 0x000
Messages
CLIENT_ALERT
CLIENT_HELLO
SERVER_HELLO
SERVER_CERTIFICATE
SERVER_KEY_EXCHANGE
SERVER_HELLO_DONE
CLIENT_KEY_EXCHANGE
CLIENT_CHANGE_CIPHER_SPEC
CLIENT_FINISHED
HANDSHAKE_OTHER
Flags
FLOW_INITIALIZED
C2S_SYNCED
S2C_SYNCED
CUT_APPLIED
FULL_HANDSHAKE
POLICY_DECISION_MADE
DECRYPT_STARTED
CERTIFICATE_MODIFIED
RECRYPT_ENFORCED
CLIENT_HELLO_SESSTKT
SERVER_HELLO_SESSTKT
DH_PUB_VALUE_READY
HANDSHAKE_MODIFIED
SESSION_LOG_ENABLED
SESSION_LOGGED
ASYNC_OP_USED
ACTIVE_FEEDBACK_MODE
NFP_FLOW_UPDATE_APPLIED
CLIENT_HELLO_SERVER_NAME
KEY_MATERIAL_GENERATED
MASTER_KEY_C2S_VALID
MASTER_KEY_S2C_VALID
FIRST_CCS_PROCESSED
EOF_PROCESSED
PARTIAL_EOF_SEEN
CH_PROCESSED
SSL_CONFIRMED
SSL_INTERCEPT
PLAINTEXT_INITIALIZED
Rule Matched Index
1
Server Name Indication
accounts.google.com
Subject
Common Name: accounts.google.com
Organization: Google Inc
Issuer
Common Name: Google Internet Authority G2
Organization: Google Inc
Serial Number
xx:xx:xx:xx:xx:xx:xx:xx
Valid From
Sep 10 13:23:52 2014 GMT
Valid To
Dec 9 00:00:00 2014 GMT
SHA-1 Certificate Fingerprint
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
SHA-1 Public Key Fingerprint
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Subject Alt Name DNS/IP
accounts.google.com
Cause
This message is actually coming from the client.
It can be reproduced by using Mozilla browser. For example.
It can be reproduced by using Mozilla browser. For example.
- Remove trust for the SSL Visibility Appliance's resigning CA.
- When you get the "if you want to trust this site" warning, click "Get me out of here!".
Resolution
Ensure that the SSL Visibility Appliance's CA is trusted on the client.
Feedback
Yes
No
Powered by
