browse
Overview
When the Umbrella Secure Web Gateway (SWG) proxy is configured to perform HTTPS Inspection, a user may receive a 516 Upstream Certificate CN Mismatch error page when browsing to a website using an HTTPS URL.
This error does not indicate a problem with the Common Name (CN) attribute in the website certificate's Subject field. Rather, the issue pertains to the DNS Name attribute in the Subject Alternative Names (SAN) extension of the website's certificate.
After reviewing this article, if you cannot identify the reason for the 516 error page, please contact Umbrella technical support and provide us with the information specified in the Certificate identity errors section, below.
Certificate identity mechanics
When requesting an HTTPS URL, a web client sends the domain name in the URL to the web server via the Server Name Indication (SNI) extension in the Client Hello message of the TLS negotiation. The server uses this SNI value to identify the correct server certificate to return to the client, since a server often hosts multiple websites and can have different certificates for some or all of the sites.
When the certificate is received by the web client, the client will verify that the the certificate is the correct certificate for the request by checking for a match between the requested domain name and the domain name(s) in the DNS Name attributes of the certificate's Subject Alternative Names extension. The image below shows the SANs for a website's certificate.
This web server will return this certificate in response to requests with the following SNI values:
- www.example.org
- example.net
- example.edu
- example.com
- example.org
as well as others not visible in the Field Value panel.
Note that the value "example.org" does not match an SNI of "www.example.org" or any other domain under example.org.
However, a wildcard-based value of "*.example.org" would match "www.example.org" or any other domain under example.org containing a single label (a string with no "." character) but not multiple labels. For example, "www.hr.example.com" will not be matched by a value of "*.example.org" because "www.hr" consists of two labels: "www" and "hr". A wildcard can match only a single label.
Certificate identity errors
When a web client receives a server certificate, if none of the SAN's DNS Names match the domain name in the requested URL, then the web client will display an error to the user. The image below shows the "NET::ERR_CERT_COMMON_NAME_INVALID" interstitial page generated by the Chrome browser.
In the above example, the site requested was "https://wrong.host.badssl.com". The certificate contains a wildcard SAN DNS Name, "*.badssl.com" whose wildcard can only match a single label such as "www" or "host". The domain name "wrong.host.badssl.com" does not match the wildcard because of the multiple labels ("wrong" and "host"). Additionally, the certificate does not have a SAN DNS Name with the exact value "wrong.host.badssl.com". For these reasons, the user is presented with this error.
To identify the reason for a certificate identity mismatch, inspect the certificate's SAN DNS Names using the browser's certificate viewing function and compare with the requested URL (note that decryption by the Secure Web Gateway proxy or Intelligent Proxy will not alter a certificate's SAN entries). Alternatively, a tool such as the Qualys SSL Server Test can be used to diagnose a certificate identity issue.
For example, a source of 516 errors occurs when a domain name is incorrectly entered into a browser, and the site employs a DNS wildcard entry for the website, allowing correct name-to-address resolution of the incorrectly entered domain name. If the site's certificate does not contain a SAN with an appropriate wildcard, the incorrectly entered domain name produces the certificate error.
If the reason for the 516 error cannot be identified after employing the information in this section, or if the resolutions and workarounds in the section below cannot be employed, please open a case with Umbrella technical support and provide:
- a screenshot attached to the case notes that captures
- the browser's address bar (or similar input field) that contains the requested URL
- the entire 516 error page (see image in the next section)
- the text of the URL copied from the address bar (or similar input field) and pasted into the case notes
Resolutions and workarounds
To resolve this issue, access the server with a domain name that matches one of the SAN DNS Names in the certificate. This may require the site administrator to add a matching domain name into the DNS for the zone. Alternatively, the site administrator can re-issue the certificate to include the erroring domain name in one of the SAN DNS Names.
As a workaround, the erroring domain name of the web site can be added to a Selective Decryption List for the Secure Web Gateway proxy or to a Destination List in the Intelligent Proxy. Apply the list to the appropriate Web policy Ruleset Setting (Secure Web Gateway) or DNS policy Allow List (Intelligent Proxy). This will prevent the request to the website from being decrypted by the proxy, and thus will prevent the proxy from displaying a 516 error page.
Note: Use of both the Secure Web Gateway proxy and Intelligent Proxy is unsupported. Only one proxy technology can be employed per organization. Organizations which have subscriptions for Secure Web Gateway should use SWG and not use Intelligent Proxy.
Common Name is deprecated
The Subject Alternative Name extension is a newer mechanism for specifying certificate identity. The older mechanism used the Common Name (CN) attribute in the certificate's Subject field. This mechanism has been deprecated in modern web clients, but error messages often continue to reference the deprecated mechanism, such as "NET::ERR_CERT_COMMON_NAME_INVALID" in Chrome.
Similarly, Umbrella SWG will display a 516 error page with the following text:
when the SWG proxy requests a URL from a web server, and a SAN DNS Name mismatch occurs. Cisco Umbrella will update this text at a future date to better reflect the current behavior.
Additional Information
- See RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, Section 4.1.2.6 for information on certificate Subject, and Section 4.2.1.6 for information on Subject Alternative Name.