Skip to content
  • There are no suggestions because the search field is empty.

Resolving Live Deployment SSL Issue Caused by MitM Proxy on Cisco Ironport

Issue

What is a MITM ?

mitm-proxy is an Java-based SSL proxy that acts as a "man in the middle". In other words, proxied HTTPS requests are terminated by the proxy and resent to the remote webserver. The server certificates presented to the client (i.e. a web browser) are dynamically generated/signed by the proxy and contain most of the same fields as the original webserver certificate. The subject DN, serial number, validity dates, and extensions are preserved. However, the issuer DN is now set to the name of the proxy's self-signed certificate and the public/private keys of the proxy are used in creating the forged certificate. These forged certificates are cached (in memory) by the proxy, for better performance

Customer's faced scenario

customer was facing the below error while deploying subscriptions from Live -> Search -> select ‘subscriptions’ .

No deployments could be added.


- proxy tests seemed successful and curl was working properly without authentication. 
- Customer checked settings in admin -> system  -> HTTP Proxy Settings and Configured the Proxy Host and Proxy port.
Enable SSL and Disable SSL. The action of setting SSL disable/enable seemed to allow intermittent access. This in conjunction with Live Account SSL enable/disable. I do not believe that SSL worked in the Live Account test. 


Resolution

1- Check if the customer is using MITM proxy
2- If a MITM proxy is involved, request the customer to allow a bypass for MITM to prevent this SSL issue.
3- Ultimately, the proxy on Cisco Ironport had to be changed on the whitelist. It was not negotiated for encryption. Bypass rule issue. This is identified as a self-signed cert problem. Also recognized as a proxy man in the middle issue. Needed to change the setting within Cisco Ironport proxy server.
4- After publishing the edited version of the bypass rule in Cisco Ironport. There was a specific way to test if this rule would work using the SA IP address within the browser. This appeared to work without any errors. 


Notes

Customer was very close to performing a build stick. However, this would not have fixed the issue. 
Also tested his LIVE account to make sure there were no issues with that.

Product Details

NetWItness Product Set: NetWitness Platform
NetWitness  Version/Condition: 11.x, 12,x
Platform: CentOS / AlmaLinux
O/S Version: 7

Summary

Prevents customer from being able to authenticate using SSL. Invariably issues occur because the customer can search in LIVE for specific rules such as App rules and subscribe. However he could not deploy without the appliance becoming unavailable. This is a man in the middle proxy issue problem.


Approval Reviewer Queue

Technical approval queue