topic Re: HTTPS Certificate Validation - ds.kaspersky.com / Harmony Endpoint in Firewall and Security Management

HTTPS Certificate Validation - ds.kaspersky.com / Harmony Endpoint

Ben_Dunkley — Tue, 12 Jul 2022 16:48:47 GMT

Hi,

After dealing with some certificate validation issues recently (resolved via sk64521 / sk173629 - slightly frustrating this isn't automatic by default), almost all of the certificate validation errors are gone.

The last remaining validation error is for the FQDN ds.kaspersky.com, which logs as follows (identifying & irrelevant info snipped out):

HTTPS Validation: Untrusted Certificate
Description: Certificate DN: 'CN=ds.kaspersky.com,OU=CIWD,O=AO Kaspersky Lab,L=Moscow,ST=Moscow,C=RU' Requested Server Name: ds.kaspersky.com. See sk159872
Destination: 82.202.185.148
Destination Port: 443
IP Protocol: 6
Action: Detect
Type: Log
Blade: HTTPS Inspection
Service: TCP/443
Product Family: Network
Resource: ds.kaspersky.com

This occurs across half a dozen or so destination IP addresses, but the same FQDN in each case.

Testing using openssl reveals the following certificate chain, and there are no Kaspersky certificates in Checkpoint's Trusted CA list, which is fine I guess, as it does look like Kaspersky are potentially just using their own CA, which may not be publicly trusted (i.e. if it is explicitly trusted in their products that leverage these services).

Certificate chain

0 s:/C=RU/ST=Moscow/L=Moscow/O=AO Kaspersky Lab/OU=CIWD/CN=ds.kaspersky.com

i:/C=RU/O=Kaspersky Lab/CN=Kaspersky Lab Public Services TLS CA

1 s:/C=RU/O=Kaspersky Lab/CN=Kaspersky Lab Public Services TLS CA

i:/DC=com/DC=kaspersky/DC=authenticity/CN=Kaspersky Lab Public Services Root Certification Authority

The part that is a little frustrating, is that all this traffic is originating from Check Point Harmony Endpoint clients!

So I'm curious what view others may have on this, ignore it? manually trust the CA? something else?

Thanks,

Ben

Re: HTTPS Certificate Validation - ds.kaspersky.com / Harmony Endpoint

Ben_Dunkley — Tue, 12 Jul 2022 16:52:35 GMT

(Also trusting the CA raises the whole subject of the Kaspersky situation (sk178688, sk118539, etc), but that's a whole different topic 😉 )

Re: HTTPS Certificate Validation - ds.kaspersky.com / Harmony Endpoint

_Val_ — Wed, 13 Jul 2022 06:49:05 GMT

As you have mentioned yourself, Kaspersky is a tricky subject. However, you can manually configure to trust that cert, if you are absolutely sure this is what you want/need.

Re: HTTPS Certificate Validation - ds.kaspersky.com / Harmony Endpoint

TP_Master — Wed, 13 Jul 2022 09:22:08 GMT

Hi Ben,

Yes this is a certificate originating from our usage of the Kaspersky SDK in this version of Harmony Endpoint. It has been signed like that (with Kaspersky CA) for the past few years, it is not new.

I guess the answer to your question goes back to you - what is your goal? you want to suppress those "Untrusted Certificate" logs on the GW? then you can trust it .. do you just want to know if it's "suspicious"? then no it's not suspicious.

HTH