Support Center > Search Results > SecureKnowledge Details
Some sites do not load correctly in Chrome when SSL inspection is enabled Technical Level
Symptoms
  • slowness and intermittent lost connection to Microsoft Office 365 after enabling HTTPS inspection.

  • kernel debug (fw ctl debug -m fw + conn drop cptls) output after gateway receives the certificate from Office 365 website, and then gateway will change the certificate to a "fake" one and send to client side:

    [wstlsd PID]@Gateway[DATE TIME] SRV_Create_certificate: using fake certificate.
    [wstlsd PID]@Gateway[DATE TIME] encode_certificate_chain: chain for sending (may or may not include root CA):
    [wstlsd PID]@Gateway[DATE TIME] 2 certificates


  • Once gateway decides to use the "fake" certificate, it will not construct the certificate from scratch, and use the existing one in cache:

    [wstlsd PID]@Gateway[DATE TIME] cptls_params::fakeCertificate: called.
    [wstlsd PID]@Gateway[DATE TIME] fakeCertificate_fromCache: called.
    [wstlsd PID]@Gateway[DATE TIME] fakeCertificate_fromCache: original DN:
    CN=portal.office.com,OU=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=WA,C=US
    [wstlsd PID]@Gateway[DATE TIME] cptls_cert_cache::get_certKey: called.
    [wstlsd PID]@Gateway[DATE TIME] fakeCertificate_fromCache: certificate found in cache.
    [wstlsd PID]@Gateway[DATE TIME] cptls_params::fakeCertificate: found fake certificate in cache.


  • At the end, we will see the "fake" certificate has less alternate names ;

    DATE TIME;[fw4_0]; 2832: 12 77 6a 70 61 75 74 68 2e 6f 66 66 69 63 65 2e .wjpauth.office.; ;
    DATE TIME;[fw4_0]; 2848: 63 6f 6d 82 12 65 75 73 61 75 74 68 2e 6f 66 66 com..eusauth.off; ;
    DATE TIME;[fw4_0]; 2864: 69 63 65 2e 63 6f 6d 82 12 77 75 73 61 75 74 68 ice.com..wusauth; ;
    DATE TIME;[fw4_0]; 2880: 2e 6f 66 66 69 63 65 2e 63 6f 6d 30 0d 06 09 2a .office.com0...*; ;
    DATE TIME;[fw4_0]; 2896: 86 48 86 f7 0d 01 01 0b 05 00 03 82 02 01 00 81 .H............
Cause

Once gateway receives the certificate and there is no cached certificate on it, this certificate is saved in the cache. The issue occurs after this happens, because after login the Office 365 page, it will redirect to other Microsoft link and Another certificate with the same DN in this new connection is provided, this time with more alternate names than the saved certificate.

As gateway only check for the DN as the key of the search in cache, it find that it does have this certificate in the cache and use it instead. This causes the gateway to use a certificate containing less alternate names than expected.


Solution
Note: To view this solution you need to Sign In .