Users receiving "Not Secure" certificate warning with subject name of 'IfYouCanSeeThisCertificateThisIsAnErrror' when accessing Microsoft online services intermittently
search cancel

Users receiving "Not Secure" certificate warning with subject name of 'IfYouCanSeeThisCertificateThisIsAnErrror' when accessing Microsoft online services intermittently

book

Article ID: 278458

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet sites successfully via Cloud SWG using both WSS Agents and IPSEC access methods.

SSL interception enabled for most sites including Microsoft Online Services.

Helpdesk receiving sporadic (but multiple) reports from different users of intermittent certificate errors when attempting to use Microsoft online services (predominantly login.microsoftonline.com but some other services too).

Users are intermittently presented with a "Not Secure" warning when accessing microsoftonline services.

When viewing the certificate it shows "IfYouCanSeeThisCertificateThisIsAnErrror" as both the CN of the server and issuer certificates, with an organisation of "BCSI-default httpsproxycertificate", an OU of "BCSI-overrideThisCertWithServerCert" and an expiration date from 2005 as shown below:

 

 

Environment

Cloud SWG.

SSL interception.

Upstream secure Web servers with other SSL interception devices in path.

Cause

Upstream device SSL intercepting traffic from Cloud SWG proxy to OCS and not handling TLS session resumption correctly per the specifications.

Resolution

In the above case, Microsoft Online services made changes that made the issue go away.

It is technically possible for other sites to experience the same issue, and for this reason a Cloud SWG proxy update has been released (January 2024) to detect and recover from this edge case.

Additional Information

PCAPs on the proxy helped determine what was going on - from PCAPs, we could see that

- the downstream TLS client_hello has PSK extension + supported versions (TLSv1.3, TLSv1.2), implying the client is attempting a TLSv1.3 Session resumption using PSK
- the upstream client_hello has PSK extension + supported versions (TLSv1.3, TLSv1.2), implying the Cloud Proxy is attempting a TLSv1.3 Session resumption using PSK
- the 'OCS' (which is typically an intermediate device intercepting TLS traffic and not the real OCS) for some reason does not honor PSK or Supported Versions or Session Ticket extensions sent by the Cloud Proxy, but comes back with a TLSv1.2 Full Handshake using Session ID
- Cloud Proxy cannot handle this and sends the 'IfYouCanSeeThisCertificateThisIsAnErrror' certificate on the downstream side.

Powered by Wolken Software