Shulou(Shulou.com)06/03 Report--

Written at the end of Forefront Threat Management Gateway 2010.

Suddenly received a call from the boss on Saturday, the group boss mobile email can not be used (why again, that is another story, have a chance to tell it again)

According to the plan, we did a few things:

Tested their own Apple access to mobile email is normal, the boss is a HUAWEI Honor Note8 to find another user who uses Huawei also tested to check the TMG log, search the access log by this user name, the last visit is at 9:38 on Friday night. That is to say, there is no TMG connection behind the client, so of course the mail will not be synchronized.

Failed Connection Attempt TMGServer01 6/28/2019 9:38:06 PM

Log type: Web Proxy (Reverse)

Status: 10054 An existing connection was forcibly closed by the remote host.

Rule: ActiveSync Rules 1

Source: External (114.11.111.222pur40953)

Destination: Local Host (172.0.0.11)

Request: POST http://mail.domain.com.cn/Microsoft-Server-ActiveSync?Cmd=Ping&User=domainname%5Cusername1&DeviceId=androidc1003508868&DeviceType=Android

Filter information: Req ID: 0e8c098b; Compression: client=No, server=No, compress rate=0% decompress rate=0%

Protocol: https

User: paicdom\ username1

Additional information

Client agent: Android/8.0.0-EAS-2.0

Object source: Internet (Source is the Internet. Object was added to the cache.)

Cache info: 0x8 (Request includes the AUTHORIZATION header.)

Processing time: 480093 MIME type: application/vnd.ms-sync.wbxml

Check the IIS log, search the access log by the user name, only find the access record of EWS, there is no ActiveSync, there is no record after 09:30 on Friday.

Suspected that this user's mailbox was corrupted, so New-Moverequest migrated to another database. However, there is nothing.

Communicate with the boss, the only change before the failure is that another colleague replaced the public network certificate bound to the listener on Friday night, but we tested that Apple mobile email can still be accessed, indicating that there is nothing wrong with the certificate. I feel that this skepticism is not valid.

It is also doubtful whether the client is really not connected, or whether it may be rejected by the server, so turn on the log debug mode on TMG, manually type the wrong password in the browser, simulate the scenario rejected by the server, and you can see the record of Access Denied. Therefore, the theory of server rejection is not valid.

Next, I wonder whether the client is only blocked at layer 7 and is rejected before reaching the first rule of TMG, so the record cannot be found. Therefore, according to the last IP connected by the client, using Client IP as the filter condition, we really found the record that the client has been repeatedly establishing a connection with the TMG server and then releasing it normally. It is seriously suspected that the failure was caused by the certificate change.

Then install Network Monitor, grab the packet, and see that the TCP three-way handshake is normal. After TMG sends the SSL certificate to the client, the client returns Fin to close the connection and decisively rolls back the change of the certificate. After a while, you can see that the client is connected normally.

Although the fault has been solved, the old certificate will expire in a week and still have to be replaced.

On Monday, I went to the user's site and recreated the problem by visiting a TMG with a new certificate. When I tried to configure a new Profile, the client saw a clear error-unable to connect to the server because the certificate was invalid or untrusted.

The boss said that he could apply for a piece of the same equipment to reproduce the problem, and looked all over the major e-commerce companies, but SUNING had goods and could do it, so he quickly issued an order to play with one.

Why is a certificate trusted by iOS not trusted on the HUAWEI device? I asked colleagues to replace the certificate to demonstrate the operation of the certificate import to show me, open the certificate MMC, right under Personal to import a pfx, and then SSL certificate, intermediate CA certificate, root CA certificate all under the personal directory, I directly vomited out in a mouthful of old blood, and then to check the intermediate CA and root CA directory, decisively intermediate CA directory without a new certificate of intermediate CA certificate, it seems that the reason is here. After importing the intermediate CA, after a period of time, the listener applies the new certificate. There is no error report that the certificate verification failed.

In another episode, HUAWEI devices have a cache for certificate verification, so there is no way to take effect immediately after the server imports intermediate CA. It may take several hours for the client to re-request the server to provide a new certificate chain. If the certificate is already invalid, even if the server has configured the certificate, the client still needs to wait, and restart the phone can release the cache. Just restarts it.

Du Niang searched the intermediate certificate authority and found a blog (https://xz.aliyun.com/t/2531) that was quite detailed, in which there was a sentence about the server sending a complete list of certificates in the order of the chain of trust. The first in the chain is the server certificate, then the certificate of the intermediate CA that issued the server certificate, and then the certificate of the next intermediate CA. Until Root CA's certificate. The server does not have to send a Root CA certificate because in most cases the browser can recognize the Root CA from any intermediate CA. E-mail clients like HUAWEI perform relatively strict certificate chain verification during the whole SSL/TLS handshake. You need to get the server certificate and intermediate CA before you consider the server certificate to be valid, while Apple only needs to trust the root CA of the certificate to think that the certificate is valid.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.