Absent Member.
Absent Member.
8105 views

"This connection is untrusted" - Certificate Problem

Using Webinspect 9.20

 

Attempting to record a login marco for an internal site using an SSL certificate signed by our internal CA.

 

Details state:

 

"domainIamscanning.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown."

 

If I click "add an exception" and check "permanently store this exceptioin" it doesn't stick. 

 

I have also installed our Root and Intermediate certificates into the respective Windows Certificate Store and restarted WebInspect. It still refuses to trust the cert.

 

Any ideas?

Labels (1)
0 Likes
10 Replies
Absent Member.
Absent Member.

Update: I've also tried adding the root and intermediate certificates by launched the browser in the HP hive. It doesn't seem to carry over while in WebInspect...which seems odd. 

0 Likes
Absent Member.
Absent Member.

I am also experiencing this same problem in Webinspect 9.30

0 Likes
Micro Focus Expert
Micro Focus Expert

WebInspect does not use the IE browser, but its own internal-yet-equivalent one, and this includes the acceptance of certificates.  In actual use, the scanner simply accepts all certs and moves on, as its aim is to scan and not be a safe browser.

 

The complication here may be in the Macro Recorder and the replay of your Macro.  I would record the macro, but then mark any certificate acceptance sessions as "Optional".  With this edit, those sessions can either be present or not during the actual replay of the Macro during the live scan, and it will not affect the replay.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Cadet 1st Class
Cadet 1st Class

hi,

we're having similar issue on our customers..

SSL cert error blocking us from replaying the macro properly.

how to: mark any certificate acceptance sessions as "Optional"

where or how to do this step? would you please provide more detail?

thanks

Indra

0 Likes
Micro Focus Expert
Micro Focus Expert

@Indra

First, the workaround mentioned by @HansEnders is in response to an older version of the product over 5 years ago. To answer the question, you can click on the step where the certificate was accepted and there is an option to make that step optional. Making the step optional will not cause the macro to hang or fail if the step is not needed.

LMR_Optional_Step.png

LMR_Optional_Step-demo.png

Second, what version of WebInspect are you running? The reason for my question is, the latest version of the Login Macro Recorder will generally ignore SSL errors and accept the certificate.

An example of this would be browsing to the https://www.badssl.com website within the Login Macro Recorder (Event). As you will see when clicking on any of the bad certificate situations, we should allow that cert - https://www.screencast.com/t/0Q4uCqz9.

Third, as mentioned in the video, we use our own root certificate. Make sure our root certificate is properly installed.

If you continue to experience a problem, please open a ticket with support for further investigation.

0 Likes
Cadet 1st Class
Cadet 1st Class

thanks, i have opened the support ticket..

i have feeling this is the WebInspect internal "safe browser" mechanism, so its immediately blocked the macro from moving forward due to invalid SSL cert on the website its going to scan..

is this true? if yes, i will inform the client that they should repair the SSL cert first on their website before we can proceed.

(there's no issue with the scanning, for websites with valid SSL cert)

thanks

0 Likes
Cadet 1st Class Cadet 1st Class
Cadet 1st Class

Apologies if something is technically incorrect. This forum software is driving me nuts. It says I had invalid HTML and modified my post, but didn't tell me what it modified. 😟

I'm not using Webinspect, but I'm guessing it's a Java app like the other Fortify tools? If so, putting root and intermediate certs in the Windows certificate store will do nothing for you. You need to put them where the JDK can find them. You need to add them to cacerts:

%JAVA_HOME%\jre\lib\security\cacerts

Use the Java keytool, which is in the java\bin directory on a command line.

The commands would be something like this:

keytool -import -alias myroot -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file "C:\certs\root.cer"
keytool -import -alias myintermediate -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file "C:\certs\intermediate.cer"

Then you can run the following to have it dump the trusted certs. You should see your certs in the list:

keytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

0 Likes
Micro Focus Expert
Micro Focus Expert

@Michael-V you are correct about the challenges of the forum software. I've heard we are moving to another solution.

Regarding WebInspect, it is not like the other Fortify tools in that it is a .NET application. We rely on Windows certificate store.

@Indra I saw your ticket in the queue yesterday and we have a tech looking into it. If there is a problem with the SSL cert then it should be fixed; however, it should not prohibit us from scanning the site and this is what we need to look into.

You can try the following:

1.  Make sure the TruClient Browser (FireFox 59) is not running

2.  Open Windows Explorer and browse to the following to location Program Files\Fortify\Fortify WebInspect\dat59\ASCMasterProfile\

3.  Open the user.js file in a text editor and add the following:

    //*****************************DISABLE FIREFOX SECURITY WARNING*******************************

    user_pref("security.warn_entering_secure", false);

4.  Save the file then start your scan and create your Login Macro.

0 Likes
Cadet 1st Class
Cadet 1st Class

@ebell 

Hi, i just checked that file (user.js), its already set to:

 user_pref("security.warn_entering_secure", false);

so, i didn't make any new changes.

snapshot attached.

thanks

Indra

0 Likes
Micro Focus Expert
Micro Focus Expert

@Indra after reviewing the information submitted in the ticket, I provided an updated in the ticket requesting additional information.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.