Cisco Cisco Web Security Appliance S670 User Guide
11-11
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 11 Processing HTTPS Traffic
Managing Certificate Validation and Decryption for HTTPS
Step 2
Click Edit Settings.
Step 3
For each type of certificate error, define the proxy response.
For more information about handling invalid server certificates, see
.
Step 4
Submit and commit changes.
Options for Certificate Revocation Status Checking
To determine whether the issuing certificate authority has revoked a certificate, the Web Security
appliance can check with the issuing certificate authority in these ways:
appliance can check with the issuing certificate authority in these ways:
Certificate Error Type
Description
Expired
The current date falls outside of the range of validity for the
certificate.
certificate.
Mismatched hostname
Note
The hostname in the certificate does not match the
hostname the client was trying to access. This might
happen during a “man in the middle attack,” or when
a server redirects a request to a different URL. For
example, http://mail.google.com gets redirected to
http://www.gmail.com.The Web Proxy can only
perform hostname match when it is deployed in
explicit forward mode. When it is deployed in
transparent mode, it does not know the hostname of
the destination server (it only knows the IP address),
so it cannot compare it to the hostname in the server
certificate.
hostname the client was trying to access. This might
happen during a “man in the middle attack,” or when
a server redirects a request to a different URL. For
example, http://mail.google.com gets redirected to
http://www.gmail.com.The Web Proxy can only
perform hostname match when it is deployed in
explicit forward mode. When it is deployed in
transparent mode, it does not know the hostname of
the destination server (it only knows the IP address),
so it cannot compare it to the hostname in the server
certificate.
Unrecognized root authority/issuer
Either the root authority or an intermediate certificate
authority is unrecognized.
authority is unrecognized.
Invalid signing certificate
There was a problem with the signing certificate, for example,
a failure to verify or decrypt the signature.
a failure to verify or decrypt the signature.
Invalid leaf certificate
There was a problem with the leaf certificate, for example, a
rejection, decoding, or mismatch problem.
rejection, decoding, or mismatch problem.
All other error types
Most other error types are due to the appliance not being able
to complete the SSL handshake with the HTTPS server. For
more information about additional error scenarios for server
certificates, see
http://www.openssl.org/docs/apps/verify.html.
to complete the SSL handshake with the HTTPS server. For
more information about additional error scenarios for server
certificates, see
http://www.openssl.org/docs/apps/verify.html.
Proxy Response Type
Description
Drop
Drop the connection.
Decrypt
Decrypt the content and apply access policies as if this was an
HTTP connection.
HTTP connection.
Monitor
Do not take determinative action based on this certificate
error. Continue validation services.
error. Continue validation services.