Cisco Cisco Web Security Appliance S390 Betriebsanweisung
10-9
AsyncOS 8.5 for Cisco Web Security Appliances User Guide
Chapter 10 Create Decryption Policies to Control HTTPS Traffic
Certificates
Step 3
For each type of certificate error, define the proxy response, Drop, Decrypt or Monitor.
Step 4
Submit and Commit Changes.
Options for Certificate Revocation Status Checking
To determine whether the issuing certificate authority has revoked a certificate, the Web Security
appliance can check with the issuing certificate authority in these ways:
appliance can check with the issuing certificate authority in these ways:
•
Certificate Revocation List (Comodo certificates only). The Web Security appliance checks
Comodo’s certificate revocation list. Comodo maintains this list, updating it according to their own
policies. Depending on when it was last updated, the certificate revocation list may be out of date at
the time the Web Security appliance checks it.
Comodo’s certificate revocation list. Comodo maintains this list, updating it according to their own
policies. Depending on when it was last updated, the certificate revocation list may be out of date at
the time the Web Security appliance checks it.
•
Online Certificate Status Protocol (OCSP). The Web Security appliance checks the revocation
status with the issuing certificate authority in real time. If the issuing certificate authority supports
OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by
default for fresh installations and disabled by default for updates.
status with the issuing certificate authority in real time. If the issuing certificate authority supports
OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by
default for fresh installations and disabled by default for updates.
Note
The Web Security appliance only performs the OCSP query for certificates that it determines to be valid
in all other respects and that include the OCSP URL.
in all other respects and that include the OCSP URL.
Related Topics
•
•
Certificate Error Type
Description
Expired
The current date falls outside of the range of validity for the certificate.
Mismatched hostname
The hostname in the certificate does not match the hostname the client was
trying to access.
trying to access.
Note
The Web Proxy can only perform hostname match when it is
deployed in explicit forward mode. When it is deployed in
transparent mode, it does not know the hostname of the destination
server (it only knows the IP address), so it cannot compare it to the
hostname in the server certificate.
deployed in explicit forward mode. When it is deployed in
transparent mode, it does not know the hostname of the destination
server (it only knows the IP address), so it cannot compare it to the
hostname in the server certificate.
Unrecognized root
authority/issuer
authority/issuer
Either the root authority or an intermediate certificate authority is
unrecognized.
unrecognized.
Invalid signing
certificate
certificate
There was a problem with the signing certificate.
Invalid leaf certificate
There was a problem with the leaf certificate, for example, a rejection,
decoding, or mismatch problem.
decoding, or mismatch problem.
All other error types
Most other error types are due to the appliance not being able to complete
the SSL handshake with the HTTPS server. For more information about
additional error scenarios for server certificates, see
http://www.openssl.org/docs/apps/verify.html.
the SSL handshake with the HTTPS server. For more information about
additional error scenarios for server certificates, see
http://www.openssl.org/docs/apps/verify.html.