Note: Importing the intermediate CA certificates from the site into the ProxySG appliance will usually solve this issue. The article explains why this behavior is observed.
When visiting an affected site, the user will see the following:
In this case, the site is https://secure.macyspartners.com/. It has alrady been established that the root CA certificate for this site has already been imported into the ProxySG. Strictly speaking, this is all that is needed to make the site work. However, in this case the transaction still fails unless all intermediate certificates are imported into the ProxySG appliance.
The reason for this is that the whole certificate chain to the client during the SSL handshake is not provided. The server can either send a single certificate or a certificate chain. A certificate chain is considered to be complete when it ends in a self-signed (root) certificate. The ProxySG attempts to complete the certificate chain by looking up the missing CA certificates locally. If the intermediate certificate is not found and nothing in the SSL server handshake points to the Root CA, the ProxySG will not know how to complete the chain and will fail the SSL transaction.
To better visualise this, let’s compare two packet captures showing the SSL server handshake from a working site (https://www.google.com) and one from the site that’s showing the error (https://secure.macyspartners.com/)
Viewing the working packet capture:
As shown in the packet capture, the server sends two certificates. The first is the website certificate. Within this certificate the “issuer” attribute points to the next Intermediate certificate in the chain. The proxy follows this attribute and finds this intermediate certificate in the second certificate sent from the server. This intermediate certificate in turn points to the root CA certificate in its “issuer” field. Since this root CA certificate is not included in the server’s SSL handshake, the proxy looks up its CA certificate cache to see if this is present. If it is, then the certificate chain is trusted.
Contrast this to the site that is not working:
Notice that in this case the server sends only one certificate, that of the website. As before, this certificate contains an “issuer” attribute that points to the intermediate certificate. However, this intermediate certificate is not present in the server’s SSL handshake, so the ProxySG appliance looks up its CA certificate cache to see if this certificate is present. Because the ProxySG appliance does not usually come loaded with intermediate CA certificates, this fails and the certificate chain is untrusted.
The workaround is to disable server certificate validation, or to manually add the intermediate certificates to the ProxySG.