Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Certificate issue - New modem, now all traffic over router has SSL issues


  • Please log in to reply
9 replies to this topic

#1 quick215

quick215

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 25 October 2016 - 06:34 PM

I recently purchased and installed a new modem, an Arris SB6183-RB. I went through the install with my provider and got everything enabled and set to go while I was on a direct ethernet connection. The ethernet connection still works fine.

My issue is once I send traffic over my wireless router, an ASUS RT-AC68U that I have had for two years and always worked great. Something is causing major security conflicts. Perhaps the firewall somehow? Basically, any device over the wireless network receives certificate security errors and websites cannot load. I have attached outlook.com screenshots as an example. I have two computers, and a smart phone, and any websites over the network now have problems. There are a few sites where certificates seem to work, and some apps on my phone seem to work fine. But the majority of websites:

1.) I get an alert from ESET antivirus about the faulty certificate.
2.) If I ignore that, Firefox is usually next on my tail.
3.) If I add an exception on Firefox and ignore, then it goes through OpenDNS and I am blocked on that end.

Basically, any traffic over my router is now hit with tons of warnings. I have tried the following:

1.) Updated the Firmware on the router, took a few flashes to get up to the most current Merlin version 380.62, did not help.

2.) I tried modifying a few settings in the router firmware that were recommended after updating to the latest Merlin, but these are more speed adjustments. Did not help.

3.) I went into the GUI for the Arris modem, which is pretty basic and limited. There are some errors and that on the System Log, but I don't know enough to decipher them. I did notice that the system time for the modem is 1 hour behind my actual time (Central US), and I know that certificate errors can happen because of time issues. The example outlook.com cert is a 5 day cert, and falls within the correct time.

4.) Verified that my system time is correct through the BIOS.


I did tons and tons of googling, but no one has had my specific issue. I am at a loss. Perhaps it's something as simple as a firewall setting on the Router, I do not know. But my internet network is currently unusable. I have to be tethered via ethernet just to make this post, as this site is of course blocked over the wireless network.

Any help? Thank you in advance.


Provider: Charter
Type: Cable
Windows 10 64 bit
ESET NOD32 is my antivirus

Computer: All devices are affected

Wireless distance: Sitting right next to router

Attached Files



BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 25 October 2016 - 08:28 PM

You have no IPV6 enabled on your network card and it's probably not setup in your router either. I highly recommend to setup ipv6 in the router and install IPV6 protocol. You're using a IPv6 dns in your nic. That or change your DNS to googles DNS. 8.8.8.8 - 8.8.4.4

 

ping your DNS eau.wi.charter.com (no reply)

 

ping -6 eau.wi.charter.com (no reply)

 

nslookup eau.wi.charter.com

 

I get...

 

server: unknown

address: fe80::8237:73ff:fefc:a176

 

ping fe80::8237:73ff:fefc:a176 (I get a reply)



#3 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:02:03 AM

Posted 26 October 2016 - 01:01 AM

The issuing CA of the certificate in the screenshots is not what it would normally be.

 

I don't know the products or ISP involved, so I can't point straight to the issue but it's likely to one of two or three things.

 

1) After replacing the modem, you are being reditrected to some kind of captive portal (for example to set up the new modem, or to authenticate to your ISP)

 

2) SSL inspection is turned on somewhere (intercepting encrypted traffic, filtering it, then reencrypting it with a certificate on the device doing the interception)

 

3) Your traffic is being maliciously intercepted (thatt's what these certificate checks are meant to protect against, but less likely in this case as you say the change came on with a legitimate technical change at your end)

 

Point 1 can be checked by going to a non-https site - can you get to it?. If you can then it's not a captive portal. If you get a certificate error, accept it (this time only) and see if you do end up on an equipment login page, ot ISP portal.

 

Point 2 - SSL inspection is used by some security software or appliances to inspect all traffic, including that normally encrypted and indecipheralble to it. The scanning can be to scan the traffic for viruses/malware, or otherwise filter content (forbiden content in a corporate environment or parental control). When you request an encrypted webpage, the software/appliance talks to the external webserver on your behalf (using that servers certificate to encrypt the connection over the net) but is unable to re-encrypt the traffic with the original certificate for onward transmission to your PC (HTTPS would not be much good if it could!). Instead it has to re-encrypt the traffic with a certificate of its own. In those cases you would install a root certificate public key (related to your securrity software/appliance) on your PC and that would allow our PC to trust the certificate generated but your security softwae/appliance. If this is what's happening, then you either need to install that CA or disable the SSL inspection feature in your software/appliance.

 

x64



#4 quick215

quick215
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 27 October 2016 - 07:45 AM

The issuing CA of the certificate in the screenshots is not what it would normally be.

 

I don't know the products or ISP involved, so I can't point straight to the issue but it's likely to one of two or three things.

 

1) After replacing the modem, you are being reditrected to some kind of captive portal (for example to set up the new modem, or to authenticate to your ISP)

 

2) SSL inspection is turned on somewhere (intercepting encrypted traffic, filtering it, then reencrypting it with a certificate on the device doing the interception)

 

3) Your traffic is being maliciously intercepted (thatt's what these certificate checks are meant to protect against, but less likely in this case as you say the change came on with a legitimate technical change at your end)

 

Point 1 can be checked by going to a non-https site - can you get to it?. If you can then it's not a captive portal. If you get a certificate error, accept it (this time only) and see if you do end up on an equipment login page, ot ISP portal.

 

Point 2 - SSL inspection is used by some security software or appliances to inspect all traffic, including that normally encrypted and indecipheralble to it. The scanning can be to scan the traffic for viruses/malware, or otherwise filter content (forbiden content in a corporate environment or parental control). When you request an encrypted webpage, the software/appliance talks to the external webserver on your behalf (using that servers certificate to encrypt the connection over the net) but is unable to re-encrypt the traffic with the original certificate for onward transmission to your PC (HTTPS would not be much good if it could!). Instead it has to re-encrypt the traffic with a certificate of its own. In those cases you would install a root certificate public key (related to your securrity software/appliance) on your PC and that would allow our PC to trust the certificate generated but your security softwae/appliance. If this is what's happening, then you either need to install that CA or disable the SSL inspection feature in your software/appliance.

 

x64

 

Figured it out, essentially it was #2.

 
Thank you. I should have realized sooner that OpenDNS itself was the culprit. I went into my router's settings and eliminated the custom DNS that routes through OpenDNS and just left it as my regular ISP, and suddenly everything was working again. Today, I re-plugged in the OpenDNS into the router settings and it actually seems to be working fine as well. For the future, you are correct, the issue was related to OpenDNS's umbrella deal and the lack of a proper certificate. The certificate ends up being signed by OpenDNS instead of say Facebook.com, which results in the faulty SSL certificate issue. Solving it is supposed to require a special certificate download. See articles below, not the link at the top of the first link. Adding exceptions is a losing battle, see second article from Oct 2016:
 
 

Edited by quick215, 27 October 2016 - 07:53 AM.


#5 quick215

quick215
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 27 October 2016 - 07:47 AM

You have no IPV6 enabled on your network card and it's probably not setup in your router either. I highly recommend to setup ipv6 in the router and install IPV6 protocol. You're using a IPv6 dns in your nic. That or change your DNS to googles DNS. 8.8.8.8 - 8.8.4.4

 

ping your DNS eau.wi.charter.com (no reply)

 

ping -6 eau.wi.charter.com (no reply)

 

nslookup eau.wi.charter.com

 

I get...

 

server: unknown

address: fe80::8237:73ff:fefc:a176

 

ping fe80::8237:73ff:fefc:a176 (I get a reply)

Regarding ipv6, I had read some time ago that there were a rash of security vulnerabilities within ipv6, and at the time (probably a year or two ago), I completely disabled ipv6 upon recommendations from numerous articles. Perhaps things have gotten more stable and secure, but if I don't need to make the jump to ipv6, I see no reason to.

 

What does "you're using a IPv6 dns in your nic" mean? nic?


Edited by quick215, 27 October 2016 - 07:49 AM.


#6 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 27 October 2016 - 07:23 PM

google is your friend

nic=network interface card

 

"What does "you're using a IPv6 dns in your nic"

 

it means you are using a ipv6 ip of a dns server but your router and the main protocol you are using [ipv4] are referencing a dns server ipv4 can't talk to.  Basically the dns entry is invalid.



#7 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:02:03 AM

Posted 28 October 2016 - 01:08 AM

Where did all this chatter of IPv6 come from? It's certainly not relevant to the certificate issue..

 

x64



#8 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 28 October 2016 - 12:33 PM

Where did all this chatter of IPv6 come from? It's certainly not relevant to the certificate issue..

 

x64

From your ipconfig txt file that you provided. Your wired network card at one time was setup with ipv6 DNS pointing to eau.wi.charter.com. I was thinking that maybe your router was setup pointing to that same dns. Either way your router wasn't configured right.



#9 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:02:03 AM

Posted 28 October 2016 - 02:37 PM

I'm not the OP (but I am a very experienced systems engineer). The "eau.wi.charter.com" in quick215's ipconfig outputis a connection specific DNS suffix not a dns server...... The only active DNS server appears to be his router.

 

x64



#10 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 PM

Posted 28 October 2016 - 05:57 PM

I'm not the OP (but I am a very experienced systems engineer). The "eau.wi.charter.com" in quick215's ipconfig outputis a connection specific DNS suffix not a dns server...... The only active DNS server appears to be his router.

 

x64

My mistake it was directed to the OP. I see what you're saying. I knew it was DNS router related, but my mind took me on another path.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users