Certificate Verification Failures and Remediation Options

When certificate verification fails, an access denied message is displayed to the user and an incident is recorded in the SSL Incident List.

If the CVE blocks access to a site believed to be safe, the administrator should research the failure in the Incident List, and may want to research the status of the destination host.

Certificate verification failures occur for the following reasons:


	Important The failures you see at your site will depend, in part, on the CVE options you have enabled.

An invalid or mishandled SSL handshake (e.g., Skype, Citrix GoTo services)


	Note This failure will occur even when the CVE is disabled.

A certificate that was not issued by a CA in Content Gateway's trusted CA list; this is often a self-signed certificate

A certificate that was not issued by a CA that is trusted by the destination server

A revoked CA (on a CRL or OCSP list)

An expired or not yet valid certificate

An expired, not yet valid, or revoked certificate in the certificate chain

A name mismatch between the hostname and URL, or similar (hostname and the Common Name, hostname and the Subject Alternative Name; hostname and use of a wildcard in the certificate)

Missing and/or optional fields in the certificate (no CRL or OCSP state; result in "Unknown revocation state" errors)

A problem in the logic of the CVE

List of common certificate verification error messages

See the Troubleshooting Certificate Verification Failures section for more information on each of these errors.

CA explicitly denied

Certificate has expired

Certificate is not yet valid

Certificate revoked

Client certificate requested

Common Name does not match URL

Invalid CA certificate

Self-signed certificate

Self-signed certificate in certificate chain

10.

Unable to get local issuer certificate

11.

Unable to verify the first certificate

12.

Unknown revocation state

Remediation

Certificate verification failures can be remediated in several ways.


	Important The SSL Incident List is the primary vehicle for investigating verification failures. To effectively use the CVE, administrators must become fluent with the Incident List facility. Help system information starts here.

The primary remediation options include:

Correcting the certificate problem. See Troubleshooting Certificate Verification Failures and SSL trusted certificate store.

Bypassing certificate verification via SSL Decryption bypass, the SSL Incident List, or another bypass option. See Bypass options.

Enabling or disabling CVE options.

Using the CVE Verification Bypass option to give users the ability to proceed to a site after certificate verification fails.

SSL trusted certificate store

When version 7.8 of Content Gateway is installed, all Certificate Authorities trusted by Mozilla Firefox as of October 18, 2012, are included in the SSL trusted certificate store.

The list is accessed in the Content Gateway manager on the Configure > SSL > Certificates > Certificate Authorities tab.

Content Gateway trusts web servers that offer these certificates. Note that a lowercase "i" appears before the name of some certificates validated via CRL (certificate revocation lists) or OCSP (online certification status protocol). These certificates provide URLs where their revocation status can be verified. See Keeping revocation information up to date.

You can manually add, delete, or change the status of a certificate.

Help system information on SSL certificate management starts here.

SSL transaction logging

SSL transaction logs are sent to the same systems logs as those used by HTTP. Content Gateway transaction logging is described here.

Bypass options

Bypass is the term used to describe several methods of specifically allowing a request to circumvent (bypass) all or select features of Content Gateway. Full proxy bypass is often called tunneling.

In this discussion take note of when bypass affects:

Only certificate verification

Certificate verification and SSL decryption

Complete bypass of Content Gateway

These are the primary bypass methods:

Web Security SSL decryption bypass (category, client IP addresses, and destination hostname/IP address)

The Content Gateway SSL Incident List

Content Gateway ARM bypass (transparent proxy)

Explicit proxy PAC file bypass

Transparent proxy routing device ACL bypass

Allow users to continue after verification failure (Configure > SSL > Validation > Verification Bypass)

Web Security SSL Decryption Category bypass and Hostname/IP address bypass

In Web Security you can specify categories, client IP addresses, or destination hostname/IP addresses of websites for which SSL decryption and inspection are not performed. See SSL Decryption Bypass.

If Content Gateway is set up as an explicit proxy, certificate verification is bypassed, leaving certificate verification subject to the settings of the client browser. This is the best practice for bypass in explicit proxy deployments.

If Content Gateway is set up as a transparent proxy, certificate verification is not bypassed. In transparent proxy deployments, Content Gateway first retrieves the site certificate, performs validation, and then uses the Common Name to determine if SSL Decryption Category bypass or Hostname/IP address bypass is performed. Therefore, in transparent proxy deployments, the Content Gateway Incident List is the best way to set up bypassing for specific sites.

The SSL Incident List

The SSL Incident List is the principal SSL decryption and certificate verification bypass mechanism in Content Gateway. In addition to automatically adding certificate verification failures (incidents) to the list, administrators can manually add destination URLs.

Administrators should set "Action:Allow" to bypass certificate verification (the check is made but has no effect). Administrators should use "Action:Tunnel" to bypass certificate verification and SSL decryption. See Managing Web HTTPS site access.

Content Gateway ARM bypass

See Interception bypass.

Explicit proxy PAC file bypass

See:

How do I specify in a PAC file a URL that will bypass Content Gateway?

PAC File Best Practices

Transparent proxy Access Control List (ACL) bypass

See the vendor documentation for your transparent routing device.

SSL Verification Bypass

See SSL Verification bypass.