Running firmware version 9.111-7 with "Scan HTTPS (SSL) Traffic" enabled. When I browse to a website who's certificate is revoked (like: https://revoked.grc.com/ ) the UTM allows access to this page. Browsing directly to that page without going through the UTM shows a proper revocation warning from all my tested browsers. As I can access the page without error when my connection is proxies by the UTM, this leads me to believe that the UTM is not doing ANY revocation checking. As revocation checking is a critical component of how certificates and HTTPS function, this is a significant security issue that needs to get fixed ASAP.
This thread was automatically locked due to age.