Reputation: 239
ERR_BAD_SSL_CLIENT_AUTH_CERT
We've started encountering issues browsing to most https sites.
Examples include: https://technet.microsoft.com/, https://mail.google.com/, https://www.mozilla.org/en-US/firefox/new/, https://stackoverflow.com/
It appears that secure sites that we have visited previously work OK. Examples of these include: https://banking.westpac.com.au/, https://www.tppwholesale.com.au/login/, https://au.ingrammicro.com/
The errors we receive are:
- Chrome:
ERR_BAD_SSL_CLIENT_AUTH_CERT - Firefox:
SSL_ERROR_ACCESS_DENIED_ALERT - IE11/Edge: No helpful message, but Schannel 36887 errors are logged advising
The TLS protocol defined fatal alert code is 49.(These are also logged for Chrome, but not Firefox as it uses the Mozilla NSS encryption library.)
We can prevent the problem by disabling TLS1.1 & TLS1.2 and enabling SSL2 & SSL3. As SSL2/3 have known vulnerabilities we want to resolve this issue properly.
Problem has been observed on Win7, Win8.1, Win10 WS2012R2 machines. It's affecting all our laptop computers except one that hasn't been in the office for over a month.
Extensive googling has failed to yield anything helpful - most SSL connection issues that are discussed seem to focus on the server certificate.
The above errors suggest it being an issue with the client certificate that our browsers are sending to the servers, so I have these questions:
- Do SSL2/3 have different client certificate requirements to TLS1.x?
- What client certificate do browsers use (we don't have any certificates listed in the user or computer Personal stores)?
I hope there's an SSL/TLS guru out there that can assist!
Upvotes: 22
Views: 84324
Answers (4)
Reputation: 572
In Eset go to advanced setup. Then click WEB AND EMAIL, Expand SSL/TLS. Click on edit in List of known certificates. Change access to allow or remove sites from here.
Upvotes: 0
Reputation: 1
In Eset no need to Disable "Enable HTTPS Checking" . In Web access Protection click URL Management> Click Edit on address list then add on list of allowed addresses
Upvotes: -1
Reputation: 121
No need to uninstall ESET. Open ESET > Setup > Internet Protection > edit "Web Access Protection" > expand "Web Protocols" > disable "Enable HTTPS Checking".
Upvotes: 12
Reputation: 239
It appears that ESET antivirus is the culprit here. Thanks to Nicolas Rey for flagging this on a Chrome forum (refer https://productforums.google.com/forum/#!msg/chrome/WHw6ow1kGUs/MW3gt1hZEQAJ)
The rollback option that Nicolas suggested didn't help, but uninstalling and reinstalling ESET resolved the issue.
Upvotes: 1
Related Questions
- How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
- Client authentication using self signed ssl certificate for nginx
- Problem of SSL renegociation (SEC_I_RENEGOTIATE) in HttpWebRequest and no keep-alive
- Firefox "ssl_error_no_cypher_overlap" error
- Client Certificate Authentication failed in WebRequest\HttpClient C#
- WebService using TLS1.1, TLS1.2 unable to connect on development server, works in local development
- Can Firefox be forced to use ssl instead of tls
- Cipher selection for sslStream in .NET 4.5