Author Topic: Scanning secured connections breaks SSL certificate authentication  (Read 1816 times)

0 Members and 1 Guest are viewing this topic.

Offline ondruska

  • Newbie
  • *
  • Posts: 14
I guess it is expected (that it stops working, see subject) as the server identifies itself now as Avast MITM but it should be noted somewhere. Am I correct?

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 725
Re: Scanning secured connections breaks SSL certificate authentication
« Reply #1 on: April 21, 2017, 11:28:53 AM »
What do you mean by "breaks SSL certificate authentication"? Certificte authentication
still works in your browser, only the issuer certificate is different (the original is checked
by the webshield).

There is some older technical info available for this topic at:
http://public.avast.com/~tuma/techinfo/

Offline ondruska

  • Newbie
  • *
  • Posts: 14
Re: Scanning secured connections breaks SSL certificate authentication
« Reply #2 on: April 21, 2017, 02:21:41 PM »
OK, I should have been more precise. SSL client certificate authentication does not work as the session is being set up between client and Avast (MITM) and not proxied to true destination SSL server. So in cases where server requests SSL client certificate Avast MITM does not send any because it does not have client’s private key anymore.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 4975
Re: Scanning secured connections breaks SSL certificate authentication
« Reply #3 on: April 24, 2017, 10:36:30 PM »
Can you give some example of the service you are trying to authenticate to? Are you able to connect with web shield disabled?
"People who are really serious about software should make their own hardware." - Alan Kay

Offline ondruska

  • Newbie
  • *
  • Posts: 14
Re: Scanning secured connections breaks SSL certificate authentication
« Reply #4 on: April 25, 2017, 09:20:37 AM »
For example https://portal.t-systems.cz and yes, with Scanning secured connections disabled I can authenticate with my client certificate.

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 725
Re: Scanning secured connections breaks SSL certificate authentication
« Reply #5 on: April 25, 2017, 10:47:12 AM »
OK, I should have been more precise. SSL client certificate authentication does not work as the session is being set up between client and Avast (MITM) and not proxied to true destination SSL server. So in cases where server requests SSL client certificate Avast MITM does not send any because it does not have client’s private key anymore.

Yes, for servers that require client certificates you have to add an exception to the webshield at the moment.