Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Problem accessing www.amazon.com when DPI-SSL is enabled

LarryLarry All-Knowing Sage ✭✭✭✭

Client reported problem accessing www.amazon.com this week.

Sure enough, the web browser shows an error:

Clicking for the certificate information, it shows:

Accessing the same website on a computer in a site without DPI-SSL shows the following certification information:

I am at a loss for determining a way to fix this.

Does anyone have any suggestions?

Thanks!

Category: Entry Level Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Larry I had a similar case this week regarding Amazon myself. I'am still in the process to wrap my head around it.

    It seems to be related to a specific certificate issued to the Amazon servers for *.peg.a2z.com. Whenever this certificate is served the DPI-SSL does not work. It seems that some form of Load Balancer causes different Certs for amazon.com (or amazon.de in my case).

    As quick fix I excluded the following URLs from DPI-SSL until figuring out the cause.

    .amazon.com
    .amazon.de
    .media-amazon.com
    .ssl-images-amazon.com
    amazon.com
    amazon.de
    

    It might be related to Cert lifetimes, but not sure about it.

    --Michael@BWC

  • prestonpreston Enthusiast ✭✭

    @Larry , check the DPI-SSL Client logs as it may just be missing CA certs in the SonicWall, I know in the past I had to import 4 extra CA certs for Amazon in to the SonicWall, these ones below

    Amazon Root CA 1

    Serial - 067F9457508C648C09CA652E71791830E72592

    Starfield Services Root Certificate Authority - G2

    Serial - 067F94574BB7075D3E48965C783224AA754FED

    Amazon Root CA 2

    Serial - 067F945755F187A91F8163F3E624620177FF38

    Amazon Root CA 4

    Serial - 067F94575A8862A9072E3239C37CEBA1274E18

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @BWC - Michael, I like the "quick and easy" approach. So I started with two entries and checked.

    No improvement, but no additional entries in the DPI-SSL log (thank you for reminding me to look there @preston ).

    But what I did see was in the System log was this:

    And 13.225.210.18 is an Amazon data center.

    So now I'm questioning why accessing the www.amazon.com should cause the device to think there's something else nefarious going on...

    (of course, the CSR who is attempting to work this case is over his head and - having already spent an hour getting nothing accomplished other than pulling Trace log and TSR - wants to spend more time poking around)

    Will investigate those certs because the numbers above do not match what's in the device.

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @preston I went here https://www.amazontrust.com/repository/ downloaded the CER files and imported them locally into MMC (Personal) to check the serial numbers. They match what is in the client's TZ600.

    How did you obtain files with those serial numbers? And, should I use them?

  • prestonpreston Enthusiast ✭✭
    edited November 2021

    not sure where I got them from it was a while back, change the extension back to Zip then extract, I imported them as CA certs

    they may have been superceded with new ones, the only way to really check is to turn off DPI-SSL or test from a pc with it disabled and then go to Amazon and check all the CA certs in the chain and their serial numbers, that's what I did intitially as some pages on Amazon loaded but not all.

    I would also check the Digicert ones also as recently I've had to include another CA for this

    DigiCert TLS RSA SHA256 2020 CA1

    Serial -0a3508d55c292b017df8ad65c00ff7e4

    you can get this from Digicert.com

    In most DPI-SSL Client deployments I would exclude shopping and banking sites from Inspection anyway

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @preston I'm going to take that last bit of advice.

    I've checked Shopping in the CFS exclusions for DPI-SSL to let the office admin do her holiday shopping.

    I'm going to pick up this case with Support next week to identify exactly what's going on and what steps to take to let it work properly (again).

Sign In or Register to comment.