search cancel

Error: NET::ERR_CERT_WEAK_KEY when accessing sites from MAC OS 10.15 or later and iOS 13 and later

book

Article ID: 224582

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When browsing to some sites, an error message NET::ERR_CERT_WEAK_KEY is displayed.

 

Cause

The ProxySG emulates certificates with a key size less than 2048 bits.

Environment

SSL interception enabled. 

Resolution

Set emulated certificate key size to 2048 bits.

From the CLI, get into configure mode, then enter the SSL configuration and set the keysize:

proxy> enable

proxy# conf t

proxy#(config) ssl

proxy#(config ssl)proxy force-emulated-cert-keysize 2048

Clear the certificate cache after applying the key size change to clear existing certificates in cache:

ProxySG#(config ssl)clear-certificate-cache

Reboot the MAC device to clear its cache.

 

Additional Information

Per Apple documentation certificate key sizes less than 2048 bits are no longer supported:

https://support.apple.com/en-us/HT210176

Since the browser on MACOS is enforcing certificate keysize of 2048 bits or more, we need to override OCS presenting certificates less than key size less than 2048 bits.

Note:

Be aware that increasing the key size will increase the overhead in SSL processes so CPU utilization may rise depending on traffic that is ssl intercepted.

Forcing key sizes of more than 2048 bits is not recommend.

Reference: High CPU in SSL after upgrade to 6.7.x (broadcom.com)

By default "force-emulated-cert-keysize" is set to auto.

Prior to SGOS 6.7, "auto" is 1024 or 2048, depending on the Origin Content Server (OCS) key size. If the OCS uses a 1024 bit key size then the ProxySG emulates certificates from the OCS with a 1024 bit key size. Similarly, if the OCS uses a 2048 bit key size, then the ProxySG emulates certificates from the OCS with a 2048 bit key size.

For SGOS  6.7 and later, "auto" was expanded to include keysizes 1024, 2048, 3072, or 4096 bits, mimicking the OCS.

In order to revert change back to default, do the following:

proxy> enable

proxy# conf t

proxy#(config) ssl

proxy#(config ssl)proxy force-emulated-cert-keysize auto