Broken SSL cert caused by router?

Eygene Ryabinkin rea+nanog at grid.kiae.ru
Fri Mar 27 00:46:20 UTC 2015


Thu, Mar 26, 2015 at 03:38:55PM -0700, Mike wrote:
> I have a customer however that uses our web mail system now secured 
> with ssl. I myself and many others use it and get the green lock. But, 
> whenever any station at the customer tries using it, they get a broken 
> lock and 'your connection is not private'. The actual error displayed 
> below is 'cert_authority_invalid' and it's "Go Daddy Secure Certificate 
> Authority - G2". And it gets worse - whenever I go to the location and 
> use my own laptop, the very one that 'works' when at my office, I ALSO 
> get the error. AND EVEN WORSE - when I connect to my cell phone provided 
> hotspot, the error goes away!
> 
> As weird as this all sounds, I got it nailed down to one device - 
> they have a Cisco/Meraki MX64W as their internet gateway - and when I 
> remove that device from the chain and go 'straight' out to the internet, 
> suddenly, the certificate problem goes away entirely.
> 
> How is this possible? Can anyone comment on these devices and tell 
> me what might be going on here?

Sounds like deep packet inspection (DPI) with SSL MITM.  Reading
  https://meraki.cisco.com/lib/pdf/meraki_datasheet_mx.pdf
makes me believe that this device can do that.  Look for it's
configuration, DPI for HTTPS must be active.
-- 
Eygene Ryabinkin, National Research Centre "Kurchatov Institute"

Always code as if the guy who ends up maintaining your code will be
a violent psychopath who knows where you live.


More information about the NANOG mailing list