HTTP traffic blocked due to certificate and TLS errors can now be viewed on the Umbrella Dashboard Activity Search. This article provides a list of common error messages as well as a brief explanation for each of the errors.
Upstream certificate expired
The certificate presented by the website has expired. Contact the webmaster of the site to report this issue.
Upstream certificate self-signed
The certificate presented by the website is not signed by a Certificate Authority, and therefore Umbrella cannot determine if the certificate is trustworthy.
Self-signed certificates are sometimes used when a server hosts a resource which is intended for a restricted audience. For example, web portals for I.T. security appliances often default to using self-signed certificates. Umbrella cannot be configured to trust self-signed certificates.
Missing Intermediate Certificate
Umbrella was unable to obtain certificates for all Intermediate Authorities and therefore unable to validate the full chain of trust.
Certificates are often signed by one (or more) Intermediate Authorities that form a chain back to the Root CA. The website must bundle the intermediate certificates with the server (leaf) certificate in order for Umbrella to validate the full chain of trust, which is ultimately signed by a known Root CA. Contact the webmaster of the site to report this issue.
Alternatively if the certificate includes the “Authority Information Access” extension, Umbrella will attempt to fetch the Intermediates CAs automatically. Note that Umbrella only supports the AIA extension when HTTPS Decryption and File Inspection are enabled.
Upstream certificate missing subject name.
The Subject field of the certificate does not contain a Distinguished Name (DN) to identify this certificate. This is a requirement for all certificates issued by a Certificate Authority, and therefore required by Cisco Umbrella. Contact the webmaster of the site to report this issue.
Upstream certificate missing common name.
The certificate presented by the website has no Common Name. The Common Name (CN) field is required by Umbrella SWG. This contains the certificate hostname, which is required to validate that the certificate matches the resource requested by the user (Eg. The address typed into the browser). Contact the webmaster of the site to report this issue.
Upstream certificate Untrusted
The Certificate is not trusted by Cisco Umbrella. This error typically means that Cisco does not trust the Root CA that issued the certificate.
Umbrella SWG has a built-in list of known trusted Root Certificate Authorities that we update from a reputable source. If the websites’ certificate is not signed by a CA on this list, the certificate validation will fail. If you believe Umbrella is missing a Root CA which should be trusted, please contact technical support.
Hostname in cert is different from expected
The resource requested by the user (eg. the address typed into the browser) does not match the Common Name (CN) or Subject Alternative Name (SAN) of the certificate, therefore Umbrella cannot trust the certificate for this request. Contact the webmaster of the site to report this issue.
Upstream Certificate Revoked
The certificate provided by the website has been revoked by the issuing Certificate Authority.
Umbrella performs CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) checks to determine if a certificate has been later revoked by a CA. Contact the webmaster of the site to report this issue.
TLS Handshake Errors
Unsupported Upstream Cipher
The TLS handshake could not be completed. This typically means the website does not support any of the list of Cipher Suites used by Umbrella SWG. This error can occur with older or outdated webservers that only support weaker TLS ciphers. Contact the webmaster of the site to report this issue.
Upstream TLS Version Mismatch
The TLS handshake could not be completed because the website does not support the same TLS version that Umbrella SWG uses. Umbrella SWG currently only supports TLS1.2 when connecting to websites. At time of writing Umbrella does not support TLS1.3 but will attempt to use TLS1.2 for these connections where possible. Contact the webmaster of the site to report this issue.
Upstream DH key less than 1024 bits
The TLS handshake could not be completed because the website uses a weak Diffie-Hellman key that is not supported by Umbrella. Contact the webmaster of the site to report this issue.
It is possible to workaround these issues by making configuration changes in Cisco Umbrella. This should only be done if you trust the authenticity of the server and certificate.
Workarounds can be applied using a "Selective Decryption List" entry to disable decryption or an "External Domains" entry to bypass the traffic from Umbrella entirely. Umbrella does not perform certificate validation when decryption is disabled. Be aware that in the majority of cases the browser will still present an error or warning when the traffic is bypassed from Umbrella - Web browsers perform similar certificate validation.