This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS Inspection | OCSP / CRL | Not blocking websites with revoked certificates

Hi everyone,

I'm enforcing my TLS inspection rules to more strict and secure with best practices. So my Decryption Profile:

Using https://badssl.com/ for tests scenarios I had success in almost all practices:

invalid date	working as expected
self-signed	working as expected
untrusted issuer	working as expected
revoked	opened site / should block
name mismatch	working as expected
invalid for other reasons	NOK for pinning-test (HPKP) NOK for DH small group ( CVE-2016-0701) NOK for DH over composite group

Revoked certificates aren't blocked as desired and good practice in other technologies.

Samples:

https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls-certificates/ (https://revoked-rsa-dv.ssl.com/)

https://badssl.com/ (https://revoked.badssl.com/)

Ref documents:

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Profiles/DecryptionProfiles/ProfilesDecryptionProfileAdd/index.html

Untrusted user - Revoked: You must import a certificate revocation list (CRL) for this feature to work.

Also a old document from UTM:

https://community.sophos.com/utm-firewall/f/web-protection-web-filtering-application-visibility-control/46318/security-bug-no-revocation-checking-when-performing-https-inspection

I don't think is feasible create CRLs just for firewalls , since OCSP was created to solve this problem.

So OCSP isn't working by default? Is there any plan to cover this?

This thread was automatically locked due to age.