Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption
Table of Contents
Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption
The firewall decrypts inbound and outbound
SSL/TLS traffic to inspect the traffic for threats. When you create
a Security policy rule that allows traffic and apply Security profiles
to the rule, create an analogous Decryption policy rule to decrypt
that traffic. If you don’t decrypt the traffic, the firewall can’t
use the Security profiles to inspect the traffic (you can’t inspect
what you can’t see). The firewall re-encrypts the traffic before
forwarding it. (See SSL
Inbound Inspection and SSL
Forward Proxy.) You can configure the firewall to verify
the revocation status of certificates used for decryption as follows.
Enabling revocation status verification
for SSL/TLS decryption certificates will add time to the process
of establishing the session. The first attempt to access a site
might fail if the verification does not finish before the session
times out. For these reasons, verification is disabled by default.
- Define the service-specific timeout intervals for revocation status requests.
- Select and, in the Session Features section, select Decryption Certificate Revocation Settings.Perform one or both of the following steps, depending on whether the firewall will use Online Certificate Status Protocol (OCSP) or the Certificate Revocation List (CRL) method to verify the revocation status of certificates. If the firewall will use both, it first tries OCSP; if the OCSP responder is unavailable, the firewall then tries the CRL method.
- In the CRL section, select the Enable check box and enter the Receive Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the CRL service.
- In the OCSP section, select the Enable check box and enter the Receive Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the OCSP responder.
Depending on the Certificate Status Timeout value you specify in Step 2, the firewall might register a timeout before either or both of the Receive Timeout intervals pass.Define the total timeout interval for revocation status requests.Enter the Certificate Status Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies the session-blocking logic you optionally define in Step 3. The Certificate Status Timeout relates to the OCSP/CRL Receive Timeout as follows:- If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the aggregate of the two Receive Timeout values.
- If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the OCSP Receive Timeout value.
- If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the CRL Receive Timeout value.
Define the blocking behavior for unknown certificate status or a revocation status request timeout.If you want the firewall to block SSL/TLS sessions when the OCSP or CRL service returns a certificate revocation status of unknown, select the Block Session With Unknown Certificate Status check box. Otherwise, the firewall proceeds with the session.If you want the firewall to block SSL/TLS sessions after it registers a request timeout, select the Block Session On Certificate Status Check Timeout check box. Otherwise, the firewall proceeds with the session.Click OK and Commit.
