This document is under revision.
Summary
Error
Error message seen in MX’s PolicyEngine.log
(connectWebsocket threw NetException: SSL Exception: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify faile
Cause
Packet Analyzers/sniffers and the impact to CMX
Connected MX communicates to its servers via HTTPS REST API calls. Since this traffic looks much like any other web traffic it can fall under policies for packet analysis requiring decryption/re-encryption. Typically, when this is done the packets would be re-encrypted with the corporations own private CA. MX is using its own CA list with no access to the systems trust store.
The results are SSL handshake failures when MX attempts to make a connection with the server. The certificate sent by the server ends up with a CA the agent knows nothing about. This results in a failed handshake and TCP RESET.
Fix
To ensure that MX can communicate properly in this type of environment the following IP addresses should be whitelisted in the application.
TCP 443
173.254.177.53
173.254.177.54
173.254.177.55
65.160.230.53