Packet Analyzers/sniffers and the impact to CMX

  • KM02791485
  • 10-May-2017
  • 10-May-2017

This document is under revision.

Summary

Decryption/re-encryption done by some packet analyzers of HTTPS traffic can cause MX communication failures with notification servers.

Error

Error message seen in MX’s PolicyEngine.log
(connectWebsocket threw NetException: SSL Exception: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify faile

 

Cause

Packet Analyzers/sniffers and the impact to CMX

 Connected MX communicates to its servers via HTTPS REST API calls.  Since this traffic looks much like any other web traffic it can fall under policies for packet analysis requiring decryption/re-encryption.  Typically, when this is done the packets would be re-encrypted with the corporations own private CA.  MX is using its own CA list with no access to the systems trust store.
 The results are SSL handshake failures when MX attempts to make a connection with the server. The certificate sent by the server ends up with a CA the agent knows nothing about. This results in a failed handshake and TCP RESET.

 

 

Fix

 To ensure that MX can communicate properly in this type of environment the following IP addresses should be whitelisted in the application.
 
TCP 443
173.254.177.53
173.254.177.54
173.254.177.55
65.160.230.53