Re: [TLS] SSL cert - CA issuer question - WIndows Event Reporting CA
M K Saravanan <mksarav@gmail.com> Wed, 07 June 2023 18:03 UTC
Return-Path: <mksarav@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794B3C14CEFE for <tls@ietfa.amsl.com>; Wed, 7 Jun 2023 11:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZvQoDAbXYev for <tls@ietfa.amsl.com>; Wed, 7 Jun 2023 11:03:46 -0700 (PDT)
Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com [IPv6:2001:4860:4864:20::29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98CCAC151701 for <tls@ietf.org>; Wed, 7 Jun 2023 11:03:46 -0700 (PDT)
Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-1a1b95cc10eso7804462fac.0 for <tls@ietf.org>; Wed, 07 Jun 2023 11:03:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686161026; x=1688753026; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FaLZOFc8xbYmWJId2ad4/fRCcSerSOTX5TdnJdi1Qxg=; b=sd+ZpEXEN0AQ6WSfstex7DurF1JqT2FszqwqtsI/QIZkKnY9dTn/+RuX1hmRM2ll4s wbS/H76e6JQguwfsebcyiSYrUaIb2gwP6T5u5PZttsnp0jTqMymVnXE1m9YGscSEBcfs a7FPPhZ0hLZjuBFOtwPpiYnBDIYPfwoMgJrGkfQBI+AmDwAVZvCFpJvlE5LWj78aOSGY Wxf73SjFpCCkCkxcVHxefekQOXWV4plV3aV+BvhEH6fXSqeFldmEkTrZTJNW2afU8JgA 8V+xnkHfRmB8djLsMNCf5lTfz/2+/NZr/7bQIV5Hi5Vr+J99mpEDrUmIDBVLL4Zg6EFW T38Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686161026; x=1688753026; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FaLZOFc8xbYmWJId2ad4/fRCcSerSOTX5TdnJdi1Qxg=; b=l0oMHbc41I525W7HVdCH885+aNEMXz4CNi6fdAs/koRiURl0D/9ac4OyGDURAtWE04 NXac2L54iM+4N7P9bzdblW2t0EVy3bmBt909GvuuceY6zSZxXiMR4mNHkJFHMQ+F6aZN uoTwoFyLH0EEym6/uUcploab21j8CtpxS9PQycowCrmQ0cLPlok0qOcNNE/qlUKhNkki W5LtnM9BuP0b384xR8VsFDzJfqd1htGTSu1VLONClklGESCNX9W4bjGehTymVtDEPMg5 Dl9X+P2qTek3f01AlK+0EOrYIueX+OInR4DYaQ16Yx8Pf0ax6zWpHZ7oqw1vwxAcYJ27 JKqw==
X-Gm-Message-State: AC+VfDwvw/MHzm/rsOFHbbBafo/uur3E0yAeWBN2qJx2H2vop4FD1AWu chIf77iUua6PgvA03dxUYjGlu/+QuHRhlmMIrKRpnGYeHdk=
X-Google-Smtp-Source: ACHHUZ78tgKAyGbape6sVYSO7ec4yqX/ll/IBjxTBy/K+WxjNdnRWxEGUe07VOYk+ShrGeLXgXfze1SjbmMeF+wkQBI=
X-Received: by 2002:a05:6870:be04:b0:19f:2fa3:396a with SMTP id ny4-20020a056870be0400b0019f2fa3396amr9068227oab.54.1686161025131; Wed, 07 Jun 2023 11:03:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAG5P2e8xQSyBChic=xgqq0FUMfmZXSyXXczb+OkdacthUDZcWw@mail.gmail.com> <CAMjbhoWvvb8dbs7sXcwgso+VEbxHX0zaWSg=KiT3q0gDEPhXqg@mail.gmail.com>
In-Reply-To: <CAMjbhoWvvb8dbs7sXcwgso+VEbxHX0zaWSg=KiT3q0gDEPhXqg@mail.gmail.com>
From: M K Saravanan <mksarav@gmail.com>
Date: Thu, 08 Jun 2023 02:03:35 +0800
Message-ID: <CAG5P2e-07uZjWOJ-hbdd7HyMDGSU-RGFpbCJmk97yvOn2Rj=7g@mail.gmail.com>
To: Bas Westerbaan <bas@cloudflare.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/related; boundary="000000000000f06bd105fd8df4f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Cw5TdNNE6j6zJHX38fc_ujYTHds>
X-Mailman-Approved-At: Wed, 14 Jun 2023 00:12:57 -0700
Subject: Re: [TLS] SSL cert - CA issuer question - WIndows Event Reporting CA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 18:03:50 -0000
Thanks Bas. After sending the original post email, Later I escalated this to the security team in my company and I was told that there is some security software which has been installed in all corporate issued laptops, which inturn installed that CA cert in the root store and doing the interception of traffic for security scanning, etc. So it is as per corp. security policy. issue resolved. Thanks a lot for your comments. On Wed, 7 Jun 2023 at 22:48, Bas Westerbaan <bas@cloudflare.com> wrote: > The second certificate is ours. The first is not. Thus on the first > connection, a third party is in the middle (MitM). They must've added a > root certificate to your browser's trust store. > > Bas > > > PS. That it only happens on the first visit might be because that is over > HTTP/2 whereas subsequent visits are over QUIC, which the interception > software/hardware might not support. > > On Wed, Jun 7, 2023 at 3:52 PM M K Saravanan <mksarav@gmail.com> wrote: > >> Hi, >> >> >> Off late I noticed a behaviour with many https websites. >> >> >> >> When I first access that website, for e.g. https://www.cloudflare.com >> the issuer CA is shown as “Windows Event Reporting CA”. When I access the >> same site subsequently, it is showing proper CA as “ Cloudflare Inc ECC CA >> -3”. >> >> >> [image: image.png] >> >> >> [image: image.png] >> >> >> >> >> >> >> >> What is this Windows Event Reporting CA? Why does it show this as CA when >> accessing for the first time? >> >> >> >> With regards, >> >> Saravanan >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >
- [TLS] SSL cert - CA issuer question - WIndows Eve… M K Saravanan
- Re: [TLS] SSL cert - CA issuer question - WIndows… Martin Thomson
- Re: [TLS] [EXTERNAL] Re: SSL cert - CA issuer que… Andrei Popov
- Re: [TLS] SSL cert - CA issuer question - WIndows… Bas Westerbaan
- Re: [TLS] SSL cert - CA issuer question - WIndows… M K Saravanan