This week my colleague said she can not join h-t-t-p-s:"//countrystores.vispronet.cz/", which she translates.
I found out that without a proxy I will join the site, with a proxy (Kerio Control) no longer. When I detected the problem, I found this in my log:
[21 / Jun / 2017 13:44:23] IPS: Packet drop, severity: High, Rule ID: 1: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 220.127.116.11:443 (countrystores.vispronet.cz) -> 192.168.1.163:53752 (user: pdubska <at> interflag.local)
[21 / Jun / 2017 13:45:59] IPS: Packet drop, severity: High, Rule ID: 1: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.104.22.168:443 (countrystores.vispronet.cz) -> 192.168.1.163:53801 (user: pdubska <at> interflag.local)
I contacted SachsenFahnen but they are a problem on your part. I had to make an exception. I tried to find the database from which you found this ssl certificate (Dridex), but I did not find it on h-t-t-p-s:"//sslbl.abuse.ch/".
Can you check if this is an error on your side, or can I send the source where you identified the ssl certificate as dangerous?
I sent this query two days ago at GFI, yet without any response.
Thank you very much.
PS: I apologize for the degraded links, the kerio forum will not allow me to send links. But you can adjust them.
The site countrystores.vispronet.cz over HTTPS is in fact using an invalid certificate.
Result from DigiCert independent test.
DNS resolves countrystores.vispronet.cz to 22.214.171.124
HTTP Server Header: nginx
Common Name = countrystores.vispronet.pl
Subject Alternative Names = countrystores.vispronet.cz, countrystores.vispronet.fr
Issuer = countrystores.vispronet.pl
Serial Number = 8831DAB75AA88234
SHA1 Thumbprint = 2C05DD551BE26FE51FE4B144AA2ED65396B8A044
Key Length = 2048
Signature algorithm = SHA256 + RSA (excellent)
Secure Renegotiation: Supported
SSL Certificate has not been revoked
OCSP Staple: Not Enabled
OCSP Origin: Not Enabled
CRL Status: Not Enabled
SSL Certificate expires soon
The primary SSL certificate expires on July 15, 2017 (19 days remaining)
Certificate Name matches countrystores.vispronet.cz
Valid from 15/Jun/2017 to 15/Jul/2017
SSL Certificate is not trusted
The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
Yes, you are right, SSL Certificate is not trusted, but there is no problem. The use of certificates whose authority is not verified can not always be wrong.
I myself use the certificate created by Kerio Connect to access the email and I do not consider it an error for internal purposes (at work).
Here is the problem that this certificate is blocked before the browser notifies me of invalidation of the certificate (or untrusted authority).
That's why I wanted to know which Kerio Control certificate database is defective from.
Access is blocked (droped) by Kerio Control IPS. IPS: Packet drop, severity: High, Rule ID: 1: 2022535
Sure you can use Control to access a web page with self signed certificate .
Kerio IPS Rules are pretty old ... so seems to be a false/positive.
You can setup control to ignore the IPS Rule (own risk .
Configuring ignored intrusions
In some cases, legitimate traffic may be detected as an intrusion. If this happens, define an exception for the intrusion:
In the administration interface, go to the Security log.
Locate the log event indicating the filtered traffic. For example: "IPS: Alert, severity: Medium, Rule ID: 1:2009700 ET VOIP Multiple Unauthorized SIP Responses"
Copy the rule ID number.
In the administration interface, go to Intrusion Prevention.
In the Advanced Intrusion Prevention Settings dialog, click Add.
Paste the rule ID number and a description.
Click OK and Apply.
The legitimate traffic is allowed now.
[Updated on: Mon, 26 June 2017 17:34]
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of