An 'https' warning still appears each time we try to connect to the https URL Highlighted

Hello everyone,

Today I'll share with you how to handle the "https" warning when you connect to an https URL.

[Issue]

Configured the SSL-encrypted Traffic Detection Function on USG to check content security of decrypted traffic Using the below configuration example :

https://support.huawei.com/hedex/pages/EDOC1000154459AEH0731H/07/EDOC1000154459AEH0731H/07/resources/admin/sec_admin_decrption_policy_0017.html?ft=0&fe=10&hib=6.16.7.3&id=sec_admin_ssldecrypt_0009&text=Web%3A%20Example%20for%20Using%20the%20SSL-encrypted%20Traffic%20Detection%20Function%20to%20Protect%20Client&docid=EDOC1000154459

 Although FW ssl certificate is installed on client PC the https warning is still appears each time you try to connect to https URL which consider as bad experience for customer.

[Analysis]

After checking the configuration and the Mechanism of the SSL-encrypted Traffic Detection we found that this behavior is because there is no  CA certificate issued by a trusted organization imported to the firewall .

Let me explain why simply

The firewall works as a proxy between the HTTPS server and the client to be able to encrypt and decrypt the traffic between them .

When we configure SSL-encrypted Traffic Detection we create 2 certificates on the firewall.

One of them that we mark is as Trusted.

And the other one marked as Untrusted.

Only the trusted certificate is uploaded to the client and make it trusted on PC.

The main idea is when and why the USG use these 2 certificates which will be explained shortly.

The firewall Receive certificate from the HTTPS server to be able to encrypt and decrypt the traffic between the server and USG …. Then the USG validate the HTTPS server certificate using the uploaded CA certificate issued by the trusted organization that should be imported to the firewall.

The result of the validation will make the firewall decide which certificate (trusted or the untrusted) to send to the client after modifying it as above so the USG can encrypt and decrypt traffic from and to the client.

If the server certificate is validated successfully , the USG send the client the trusted SSL decryption certificate which is uploaded and trusted on the client so there will be no warning message .

If the server certificate is not validated , the USG will send the untrusted SSL decryption certificate to the client which is not uploaded and trusted on the client so there will be warning message to warn the users that the server certificate is not validated and make them choose wither to proceed or not.

Please refer to the following:

[Root cause]

There is no CA certificate issued by a trusted organization imported to the firewall.

[Solution]

Import the CA certificate issued by a trusted organization.

Choose Object > Certificates > CA Certificates.

Click Update to import the CA certificate.

Or as a work arround you can upload the untrusted SSL decryption certificate to the client ( such as the trusted SSL decryption certificate ) and in this case even if the HTTPS server certificate is not validated and the USG sent the untrusted SSL decryption certificate to the client there will no warning messege appear.

This is what I want to share with you today, thank you!