Cisco Cisco Web Security Appliance S670 Fehlerbehebungsanleitung
HTTP request.
For SSL, it is more difficult. In explicit proxy mode, the browser tells us in the CONNECT request, so that is
easy. The difficulty comes in transparent mode. With decryption enabled on the WSA, we need to determine
where the user is trying to browse to before actually decrypting the connection.
easy. The difficulty comes in transparent mode. With decryption enabled on the WSA, we need to determine
where the user is trying to browse to before actually decrypting the connection.
Today, we do this by looking at the IP address the client is trying to connect to, connecting to that IP
ourselves, and looking at the certificate, in particular, at the CN field. This works well when a unique
hostname has its own SSL server certificate. It also allows customers to implement some amount of policy
enforcement for SSL traffic without decrypting anything, and thus without distributing the WSA's CA cert to
their clients. A customer can allow https://www.google.com but block https://www.youtube.com by setting
the first to "allow, don't decrypt" and the second to "drop" in the decryption policy.
ourselves, and looking at the certificate, in particular, at the CN field. This works well when a unique
hostname has its own SSL server certificate. It also allows customers to implement some amount of policy
enforcement for SSL traffic without decrypting anything, and thus without distributing the WSA's CA cert to
their clients. A customer can allow https://www.google.com but block https://www.youtube.com by setting
the first to "allow, don't decrypt" and the second to "drop" in the decryption policy.
Now, youtube.com and google.com serve up the same server certificate. This means that in order to
distinguish between the two, WSA has to look for something other than just the certificate served up at the IP
address to which the client is trying to connect.
distinguish between the two, WSA has to look for something other than just the certificate served up at the IP
address to which the client is trying to connect.
The solution to this issue is being tracked as Cisco bug ID 74969.
Solution
If you have a configuration affected by this, then the immediate solution is to turn on active decryption of SSL
traffic. For customers who have not previously distributed the CA certificate from the WSA, they will need to
start doing so. This is the best general solution to the problem.
traffic. For customers who have not previously distributed the CA certificate from the WSA, they will need to
start doing so. This is the best general solution to the problem.
Appendix
List of domains for which Google's new certificate is valid:
DNS Name: *.google.com
DNS Name: google.com
DNS Name: *.atggl.com
DNS Name: *.youtube.com
DNS Name: youtube.com
DNS Name: *.ytimg.com
DNS Name: *.google.com.br
DNS Name: *.google.co.in
DNS Name: *.google.es
DNS Name: *.google.co.uk
DNS Name: *.google.ca
DNS Name: *.google.fr
DNS Name: *.google.pt
DNS Name: *.google.it
DNS Name: *.google.de
DNS Name: *.google.cl
DNS Name: *.google.pl
DNS Name: *.google.nl
DNS Name: *.google.com.au
DNS Name: *.google.co.jp
DNS Name: *.google.hu
DNS Name: *.google.com.mx
DNS Name: *.google.com.ar
DNS Name: *.google.com.co
DNS Name: google.com
DNS Name: *.atggl.com
DNS Name: *.youtube.com
DNS Name: youtube.com
DNS Name: *.ytimg.com
DNS Name: *.google.com.br
DNS Name: *.google.co.in
DNS Name: *.google.es
DNS Name: *.google.co.uk
DNS Name: *.google.ca
DNS Name: *.google.fr
DNS Name: *.google.pt
DNS Name: *.google.it
DNS Name: *.google.de
DNS Name: *.google.cl
DNS Name: *.google.pl
DNS Name: *.google.nl
DNS Name: *.google.com.au
DNS Name: *.google.co.jp
DNS Name: *.google.hu
DNS Name: *.google.com.mx
DNS Name: *.google.com.ar
DNS Name: *.google.com.co