topic Re: Revoked Certificate treating as Valid, is it a bug? in General Topics

Revoked Certificate treating as Valid, is it a bug?

muratahk — Sat, 14 May 2011 12:26:15 GMT

I have set up Client Certification Profile, and use in SSL VPN. I tried to revoke a cert. Firefox already able to valid that cert is invalid but PaloAlto still allow that certificate, I was able to verify from my OSCP server that PaloAlto had a successful query to my server, but I dont know what it is still allowing that revoked cert in SSL VPN.

Re: Revoked Certificate treating as Valid, is it a bug?

muratahk — Tue, 17 May 2011 01:09:15 GMT

I checked on the log, the ocsp responder replied the cert is revoked. But seems PA ignore the reply and retry 3 times and timeout the cert. If I check block timeout cert, all cert will be blocked. If I uncheck block time cert, all cert will be allowed. I do not know why it timeout the cert while system log already set it get response from OCSP that the cert was revoked or Good. I think it is a bug.

Re: Revoked Certificate treating as Valid, is it a bug?

schiang1 — Sat, 28 May 2011 17:47:46 GMT

It looks like we are able to contact the OCSP responder and get the correct certificate status. It's not clear from your posts whether a revoked certificate is being allowed or timing out? Do valid certificates work and and do we log the correct response? Are your results similar or different with IE? Have you tried just CRL checking? I would expect that if a revoked certificate is presented that we would not allow it and present a page saying it is revoked. What version PANOS are you running?

Re: Revoked Certificate treating as Valid, is it a bug?

muratahk — Sun, 29 May 2011 23:55:40 GMT

I am using PA2050 PanOS4.02.

I also want to know is the cert if being timeout or allowed.

On OSCP responder log, I can check PA2050 queries and the response to PA2050

On PA2050, as the capture, it shows the cert has been revoked. (I cannot find log for good cert though, I don"t know if PA do not log good cert events or it cannot get response)

However both good or revoked cert is not allowed if the "block timeout cert" is checked.

And other reason I think all cert has been timeout is PA do retry every query 3 times.

So the unknown area is:

1. It looks like PA2050 timeout all revoked and good cert, but interestingly it actuallly got response from OSCP responder which able to log a revoked cert events.

Re: Revoked Certificate treating as Valid, is it a bug?

mrajdev — Wed, 01 Jun 2011 23:38:07 GMT

Hi Muratahk,

The issue you have described seems similar to a bug which we are aware about. To verify the issue you are seeing is the same as the bug which we are planning to fix in next release, you will have to open up a support case.

Thanks