(Applies to TLSv1.2 and earlier) If you choose to allow
sessions with untrusted issuers (not recommended) and only Block
sessions with expired certificates, there is a scenario
in which a session with a trusted, expired issuer may be blocked inadvertently.
When the firewall’s certificate store contains a valid, self-signed
Trusted CA and the server sends an expired CA in the certificate
chain, the firewall does not check its certificate store. Instead,
the firewall blocks the session based on the expired CA when it
should find the trusted, valid alternative trust anchor and allow
the session based on that trusted self-signed certificate.
To
avoid this scenario, in addition to Block sessions with
expired certificates, enable Block sessions
with untrusted issuers. This forces the firewall to
check its certificate store, find the self-signed Trusted CA, and
allow the session.