Has someone done a SSL Forward proxy transparent setup, with complicated rules for entreprise users, where netscaler is inline? (its default route for my client)

[Morten Kallesøe]

I am just playing around with in my lab, and there seems to be some caveats that you need to know of.

for example the website www.dr.dk is not allowing me to run through a proxy, but www.tv2.dk is just fine

I get a weird reset for dr.dk

[Morten Kallesøe]

maybe someone with alot of knowledge knows if the following is supported in forward proxy.

[Morten Kallesøe]

After enabling alot of logs in various places, i have something which is not undocumented error codes. (2570752 and 2523392)

Jan 4 15:06:57 <local0.info> 192.168.30.9 01/04/2024:15:06:57 GMT 0-PPE-0 : default SSLI DROPPED_LOG 8884 0 : Source 172.16.1.149:49869 - Destination 95.100.155.17:443 User: - Domain: www.dr.dk - Category: 0 Action: Connection dropped - Reason: Origin server certificate verification failed - server certificate has expired

But when looking in trace with wireshark, the cert thats been sent, is valid.

[Hemang Raval]

Hello Morten,

I just validated it in my lab and both websites are working fine via transparent proxy. Please raise issue with support to troubleshoot further.

Thanks and regards,

Hemang

[Morten Kallesøe]

Hi Hemang, thanks for the test.

Is it possible to add more debugging on to the logs?

i mean, it would be great with a print out of the origin server certificate that was used for the validation, and also, why is that certificate deemed "expired" (when in wireshark it looks vaild, and time is correct on NetScaler)

There could easily be a proxy on the other end, that handles my request differently for some reason.

[Hemang Raval]

There is no role of certificate on NetScaler in Transparent proxy mode. You can even run it without binding any certificate.

Also forward proxy on NS leverages existing LB/SSL infra.

There is a possibility that it is issue on client. Is behaviour tested with multiple clients?

[Morten Kallesøe]

when i connect directly to www.dr.dk from the client - there is no problem. and its only with that specific website. others work just fine via the proxy.

i dont have a certificate bound to the forward proxy.

I have a support session later today

[Morten Kallesøe]

could the failure of the Root CA also trigger this alert?

[Morten Kallesøe]

Hi Hemang, i am just testing with 1 client at the moment. but its still a problem. I also saw a similar error in a production setup, and i suspect the RootCA integrated list is not quite up-2-date with the LetsEncrypt CA's.

Can you confirm this?

[Morten Kallesøe]

Just for anyone else out there, this was a problem related to the CA bundle that NetScaler ships with. They have not updated the LetsEncrypt CA Certificates.

So, the error message is in understandable terms "your CA has expired, and the certificate sent by the server is sing this CA, therefor its rejected" and what it should say is "please update your CA certs"