Thu, Mar 26, 2015 at 03:38:55PM -0700, Mike wrote: > I have a customer however that uses our web mail system now secured > with ssl. I myself and many others use it and get the green lock. But, > whenever any station at the customer tries using it, they get a broken > lock and 'your connection is not private'. The actual error displayed > below is 'cert_authority_invalid' and it's "Go Daddy Secure Certificate > Authority - G2". And it gets worse - whenever I go to the location and > use my own laptop, the very one that 'works' when at my office, I ALSO > get the error. AND EVEN WORSE - when I connect to my cell phone provided > hotspot, the error goes away! > > As weird as this all sounds, I got it nailed down to one device - > they have a Cisco/Meraki MX64W as their internet gateway - and when I > remove that device from the chain and go 'straight' out to the internet, > suddenly, the certificate problem goes away entirely. > > How is this possible? Can anyone comment on these devices and tell > me what might be going on here?
Sounds like deep packet inspection (DPI) with SSL MITM. Reading https://meraki.cisco.com/lib/pdf/meraki_datasheet_mx.pdf makes me believe that this device can do that. Look for it's configuration, DPI for HTTPS must be active. -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute" Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
