Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 0 replies
  • Subscribers 39 subscribers
  • Views 168 views
  • Users 0 members are here
Options
Suggested

TLS Inspection | OCSP / CRL | Not blocking websites with revoked certificates

Daniel Neto

Hi everyone,

I'm enforcing my TLS inspection rules to more strict and secure with best practices. So my Decryption Profile:


Using https://badssl.com/ for tests scenarios I had success in almost all practices:

invalid date White check markworking as expected
self-signed White check markworking as expected
untrusted issuer White check markworking as expected
revoked Negative squared cross mark opened site / should block
name mismatch White check markworking as expected
invalid for other reasons

Warning NOK for pinning-test (HPKP)

Warning NOK for DH small group (

CVE-2016-0701)

Warning NOK for DH over composite group

Revoked certificates aren't blocked as desired and good practice in other technologies.

Samples:

https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls-certificates/  (https://revoked-rsa-dv.ssl.com/)

https://badssl.com/ (https://revoked.badssl.com/)

Ref documents:

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Profiles/DecryptionProfiles/ProfilesDecryptionProfileAdd/index.html

Untrusted user - Revoked: You must import a certificate revocation list (CRL) for this feature to work.

Also a old document from UTM:

https://community.sophos.com/utm-firewall/f/web-protection-web-filtering-application-visibility-control/46318/security-bug-no-revocation-checking-when-performing-https-inspection

I don't think is feasible create CRLs just for firewalls , since OCSP was created to solve this problem.

So OCSP isn't working by default? Is there any plan to cover this?



Edited TAGs
[edited by: Erick Jan at 11:43 PM (GMT -7) on 5 Jun 2024]
Unfiltered HTML