Support Center > Search Results > SecureKnowledge Details
When accessing an HTTPS website that requires the Name Constraints critical extension (2.5.29.30), an SSL error is received in the browser Technical Level
Symptoms
  • When accessing an HTTPS website that requires the Name Constraints critical extension,
    For example https://www.hnd.bayern.de, an SSL error is received in the browser, such as:
    "NET::ERR_CERT_AUTHORITY_INVALID", although CRL validation is valid for this and other sites.

  • While CRL/OCSP validation occurs on this website, the WSTLSD usermode debug shows:
    fwValidateCert: there are unhandled critical extension
    fwValidatePath: failed in level: 1
    cptls_Validation::CallBackOnFailed: result: -1001, error_level: 0
    cptls_Validation::CallBackOnFailed: ref_count after save: 3
    cptls_Validation: Chain is NOT trusted !!

Cause

Environment: HTTPS Inspection is enabled and configured to "Inspect" this website's traffic.

In this specific example, when WSTLSD validates the certificate of a website that includes "Unhandled critical extension - 2.5.29.30 (Name Constraints)", it fails since WSTLSD cannot parse this extension.

A hotfix is available to support "Critical Extension 2.5.29.30 - Name Constraints".


Solution
Note: To view this solution you need to Sign In .