Today I was behind a Forefront TMG 2010 RC firewall in a lab, browsing the web from a web proxy client(IE8 browser, manually configured proxy settings).
So I thought to go check my Yahoo web email.
Errrr…
![ie8_mail_yahoo_error ie8_mail_yahoo_error](/blog/image.axd?picture=ie8_mail_yahoo_error_thumb.png)
So what happened ?
I use Bing rarely. Today it was one of those rarely times, and from laziness I’ve just searched with Bing ‘yahoo mail’:
![yahoo_mail_bing yahoo_mail_bing](/blog/image.axd?picture=yahoo_mail_bing_thumb.png)
Turns out I wasn’t very attentive, and I’ve just clicked on the first search result, missing the ‘https’ in front of that link.
Bing indexed ‘https://mail.yahoo.com/’, which is not quite a good thing(there is an old discussion about this address and Yahoo web mail’s certificate).
“Normally”, on a Google search, the first result is for ‘http://mail.yahoo.com/’:
![yahoo_mail_google yahoo_mail_google](/blog/image.axd?picture=yahoo_mail_google.png)
And if you click on this, a “pesky” redirection occurs to the “real https address”:
![mail_yahoo_redirect mail_yahoo_redirect](/blog/image.axd?picture=mail_yahoo_redirect_thumb.png)
And the certificate for Yahoo’s web email is issued to ‘login.yahoo.com’(CN, no SAN entries):
![mail_yahoo_cert mail_yahoo_cert](/blog/image.axd?picture=mail_yahoo_cert.png)
Since the Outbound HTTPS Inspection on Forefront TMG 2010 RC, by default, checks the server’s certificate, Forefront TMG RC 2010 denied the connection saying that(which is correct): Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.
![tmg_mail_yahoo_log tmg_mail_yahoo_log](/blog/image.axd?picture=tmg_mail_yahoo_log.png)
Same thing (sort of) would have happened if I would have used Bing from a browser without TMG(and its Outbound HTTPS Inspection) on the path and go to this address:
![ie8_mail_yahoo_error_direct ie8_mail_yahoo_error_direct](/blog/image.axd?picture=ie8_mail_yahoo_error_direct_thumb.png)
The difference here was that the error shown by IE8 behind Forefront TMG 2010 RC(while the Outbound HTTPS Inspection was one) was somehow ambiguous. If I check with Wireshark what Forefront TMG 2010 RC tells to the client, we can actually notice that it kinda’ makes sense what Forefront TMG 2010 RC replies to the client, but IE8 does not display this message, making the whole process somehow not user friendly, letting one wondering what has happened:
![wr_mail_yahoo_error wr_mail_yahoo_error](/blog/image.axd?picture=wr_mail_yahoo_error_thumb.png)
Same story with other browsers:
- Google Chrome 3.x
![chrome_mail_yahoo_error chrome_mail_yahoo_error](/blog/image.axd?picture=chrome_mail_yahoo_error.png)
- Firefox 3.5.x
![ff_mail_yahoo_error ff_mail_yahoo_error](/blog/image.axd?picture=ff_mail_yahoo_error.png)
- Safari 4.x on Windows:
![safari_win_mail_yahoo_error safari_win_mail_yahoo_error](/blog/image.axd?picture=safari_win_mail_yahoo_error.png)
However, Opera 10 is able to read that message and display it:
![opera_mail_yahoo_error opera_mail_yahoo_error](/blog/image.axd?picture=opera_mail_yahoo_error.png)
References: