E2guardian 5.3.4 SSL/MITM Kaspersky Cloud Issue
129 views
Skip to first unread message
Diego Fonseca Elcain
Aug 4, 2020, 5:09:33 PM8/4/20
to e2guardian
I have installed e2guardian 5.3.4 on Centos 7 with SSL / MITM working normally for https requests, however I have received the following alert when kaspesky clients try to connect to the cloud
https://195.122.177.150:443 CONNECT 403 0 - - - 241 - 154 * DENIED * Failed to negotiate ssl connection to client 0 SSL SITE no_name_group 1
I have already configured the kaspersky network ip's as an exception in the windows proxy and I have already configured an exception in / etc / e2guardian / lists / nocheckcertsiteiplist
however the error persists and kaspersky clients are unable to connect to kaspersky cloud.
What should I do to solve this problem.
Philip Pearce
Aug 5, 2020, 4:44:14 AM8/5/20
to Diego Fonseca Elcain, e2guardian
The failure is happening on the client to e2g ssl connection and nocheckcert lists only affect the e2g to target server ssl connection. Likely due to the kaspesky app not checking the windows cert bundle but having the kaspesky server cert embedded in the app.
In v5.3 add the kp IPs to the authexceptioniplist. This should prevent e2g trying to MITM them. If this does not work add them to exceptionsiteiplist in all of your filtergroups.
When you upgrade to v5.4, add the kp IPs to both the authexceptioniplist and nomitmsiteiplist.
Philip
Philip
--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/9ee44964-48b1-4597-bf52-f6d45233c6c9n%40googlegroups.com.
kd.gun...@googlemail.com
Oct 27, 2020, 5:49:51 PM10/27/20
to e2guardian
Hi Philip,
as far as I understand your comment, there are applications running in Windows which are ignoring the Windows certificate store and thus ignore our self signed certificate?
( I also see several "
Failed to negotiate ssl connection to client " in my logs ..)
Would it be possible to use an "official" certificate, e.g from LetsEncrypt ?
Best regards
Klaus
FredB
Oct 28, 2020, 4:34:46 AM10/28/20
to kd.gun...@googlemail.com, 'kd.gun...@googlemail.com' via e2guardian
Hi Klaus, technically no and no official organisation can allow that.
A "fake" certificate can't be signed by an official authority
--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
A "fake" certificate can't be signed by an official authority
--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
Reply all
Reply to author
Forward
0 new messages