Operational Defect Database
BugZero found this defect 2622 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3TzSAI
Some certificates signed by Comodo not validated by HTTPS proxy
Last update date:
3/15/2017
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
All
Description:
Issue
If you configure the HTTPS proxy with Content Inspection, users cannot access HTTPS sites with certificates signed with these certificates from Comodo: COMODO RSA Certification AuthorityCOMODO RSA Extended Validation Secure Server CACOMODO RSA Organization Validation Secure Server CA This occurs because the these Comodo CAs are not included by default in the Firebox certificate store. Comodo has, in the past, mistakenly issued certificates that represented a security risk to customers. For an example see this Secplicity post: Accidentally Issued Fraudulent Certificates Could Help Phishers
Workaround/Solution
Here are two ways you can allow users to connect to sites with certificates signed by the missing Comodo CAs: In the Domain Names rules, configure the Firebox to allow the specific impacted domain name. To learn more, see HTTPS-Proxy: Domain Names.Import the missing CA certificates to your Firebox to validate all certificates signed by these CAs. The certificates are available on the Comodo support page at https://support.comodo.com/index.php?/Knowledgebase/List/Index/108/sha-2. For instructions on how to install a CA certificate, see Manage Device Certificates (Web UI).
