Author Topic: SSL Scanning Behind SSL Inspection Firewall  (Read 800 times)

0 Members and 1 Guest are viewing this topic.

Offline dlcrow

  • Newbie
  • *
  • Posts: 3
SSL Scanning Behind SSL Inspection Firewall
« on: May 22, 2019, 10:48:56 PM »
Some times my computer is connected to a network that has an SSL inspection firewall which performs many of the same functions in the same way as the secure connection scanner in Avast.  Basically a local CA is created and used in the certificate chain.

Since I do use my computer outside of this environment, I do not want to turn off Avast's secure connection functionality so that I am always protected even if doubly so at times.

To make this environment work, I need to install a CA certificate into Avast's CA store.  It appears that Avast uses /Library/Application Support/Avast/config/CA/trusted as its store, but merely adding a pen for the CA into this directory doesn't seem to be enough for Avast to trust certificates presented by the SSL inspection firewall.  Without that, Avast will present its untrusted certificate to the browser.

Is there a way to install additional CA certificates for use by Avast?

Offline ondrej.kolacek

  • Avast team
  • Sr. Member
  • *
  • Posts: 211
Re: SSL Scanning Behind SSL Inspection Firewall
« Reply #1 on: May 24, 2019, 03:21:16 PM »
Hello,

Avast verifies the certificates against Mac OS X certificate store, like Safari does. As long as the certificate of the SSL inspection firewall is installed as a root CA authority certificate in Mac's keychain, all should work. This means that as long as certificates work correctly in Safari without Avast web shield, they should also work with it active.

Kind regards,
Ondrej Kolacek

Offline dlcrow

  • Newbie
  • *
  • Posts: 3
Re: SSL Scanning Behind SSL Inspection Firewall
« Reply #2 on: May 28, 2019, 01:42:20 PM »
Thank you for the reply, but that does not match the behavior that I am seeing.

Using the Keychain Access app, I can see the CA certificate for my firewall alongside the Avast trusted CA as a certificate in the System Keychain.

With Avast active, but the web shield disabled, I can load a URL and see the certificate chain by clicking on the lock icon in the URL location field shows my firewall generated certificate, an intermediate CA, and the root CA which corresponds to what is in they Keychain.

However, when I enable the Avast web shield and shift-reload the URL, the chain is not a chain at all and just shows the Avast untrusted CA certificate.

Is there a way to trace the Avast web shield to see what certificate authorities it knows about?

Offline dlcrow

  • Newbie
  • *
  • Posts: 3
Re: SSL Scanning Behind SSL Inspection Firewall
« Reply #3 on: May 28, 2019, 01:48:03 PM »
Upon further review, I do see that my firewall certificate is "trusted for this account" and the Avast trusted CA is "trusted for all users".  I was able to change the certificate from "always trust" to "use system default" and the certificate became "trusted for all users" and things now appear to work as expected.

Thanks for the information!
« Last Edit: May 28, 2019, 02:21:16 PM by dlcrow »