topic How to remove DigiNotar CA SSL Root Authority in General Topics

How to remove DigiNotar CA SSL Root Authority

mhuels — Mon, 05 Sep 2011 11:06:53 GMT

i do not find a hint how to remove any SSL Root Authority in my PAN. How can i announce me the trusted SSL Authorities? Is it possible to remove a single CA like "DigiNotar Root CA".

mfg

Manfred

Re: How to remove DigiNotar CA SSL Root Authority

lardsa — Mon, 05 Sep 2011 12:26:54 GMT

+1 !

Re: How to remove DigiNotar CA SSL Root Authority

migration — Wed, 07 Sep 2011 17:26:57 GMT

Ditto...

Re: How to remove DigiNotar CA SSL Root Authority

Kendric — Wed, 07 Sep 2011 22:23:51 GMT

I would like to know too!

Re: How to remove DigiNotar CA SSL Root Authority

camkim_MDEA — Wed, 07 Sep 2011 22:29:34 GMT

I wouldn't expect the PAN to have a list of authorized certificate authorities on the device.

This should be updated by each browser and host O/S.

Re: How to remove DigiNotar CA SSL Root Authority

Kendric — Wed, 07 Sep 2011 22:32:51 GMT

The PAN needs to know what certificates to trust and which not to trust in order to determine when to present the trust cert to a client or the untrust cert to the client for SSL decryption. The PAN device must have an untrust and a trust list on device to do this.

Re: How to remove DigiNotar CA SSL Root Authority

camkim_MDEA — Thu, 08 Sep 2011 02:20:41 GMT

Ah, learn something new every day.

They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device.

Re: How to remove DigiNotar CA SSL Root Authority

bpappas — Thu, 08 Sep 2011 02:25:54 GMT

@camkim:

please note this information included in the release notes for this emergency content update:

"In addition, for users of SSL decryption, the new release removes DigiNotar from the device's trusted CA list"

I advise all users to read the release notes for each release of content and PAN-OS so that you know what has been addressed by each update you apply to your device(s).

Thanks,

Benjamin

Re: How to remove DigiNotar CA SSL Root Authority

lardsa — Thu, 08 Sep 2011 08:36:38 GMT

My 2 cents is that PA should let us list & manage root CAs from GUI.

Re: How to remove DigiNotar CA SSL Root Authority

mhuels — Thu, 08 Sep 2011 10:11:22 GMT

I advise all users to read the release notes for each release of content and PAN-OS so that you know what has been addressed by each update you apply to your device(s).

Thanks,

Benjamin

Hi Benjamin,

is it a secret, where to find the trusted certificate store on a palo alto system? Why don't you tell the customers simply the method to control the certificate store by themselves?

kindly regards

Manfred

Re: How to remove DigiNotar CA SSL Root Authority

mhuels — Thu, 08 Sep 2011 10:18:50 GMT

They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device.

Also other CAs are concerned apparently.

(german website) http://www.heise.de/open/meldung/DigiNotar-Hack-GlobalSign-stellt-vorerst-keine-Zertifikate-mehr-aus-1338162.html

Re: How to remove DigiNotar CA SSL Root Authority

jleung — Thu, 08 Sep 2011 15:37:45 GMT

Hi,

You need to restart your dataplane after the content update before the change can take effect.

Re: How to remove DigiNotar CA SSL Root Authority

bpappas — Thu, 08 Sep 2011 21:01:41 GMT

@Manfred:

The trusted certificate store on Palo Alto Networks devices is not currently configurable or viewable.

If you wish to see the features of the product modified to allow user configuration of the certificate store please talk to your sales team to submit a feature request on your behalf.

Thanks,

Benjamin

Re: How to remove DigiNotar CA SSL Root Authority

dread — Thu, 08 Sep 2011 23:01:41 GMT

Should a dataplane restart be done after every content update or this update special because of the SSL cert issue?

Re: How to remove DigiNotar CA SSL Root Authority

bpappas — Thu, 08 Sep 2011 23:03:46 GMT

@dread:

this content update is an exception. Most content updates do not require a restart of the dataplane or the device.

Thanks,

benjamin

Re: How to remove DigiNotar CA SSL Root Authority

mhuels — Thu, 29 Sep 2011 08:58:18 GMT

Hi Benjamin,

since restarting our firewall (running 3.1.10), we see, for example by surfing on https://balie.culemborg.nl/, a "drop-all-packets" in the threat log. But in fact, the firewall does not drop the traffic nor shows any error or warning in the decrypted certificate. So we have the bizarre situation having error hints in browsers without PA firewall (as all browsers have removed the diginotar CA), but no warnings in browsers which are secured by a PA firewall (because all browsers accepts the PA certificate, which is used to re-encrypt the SSL traffic).

regards

Manfred

Re: How to remove DigiNotar CA SSL Root Authority

bpappas — Thu, 06 Oct 2011 03:24:17 GMT

@mhuels:

Have you configured the CRL/OCSP options on the Device tab -> Server CRL / OCSP Settings screen?

-Benjamin

Re: How to remove DigiNotar CA SSL Root Authority

mhuels — Thu, 06 Oct 2011 09:14:17 GMT

bpappas schrieb:

@mhuels:

Have you configured the CRL/OCSP options on the Device tab -> Server CRL / OCSP Settings screen?

-Benjamin

Hi Benjamin,

up to now, we did not have configured anything in the CRL/OCSP tab. Since 5 minutes, we have enabled the checking of revocation lists via CRL and OCSP. Testing on https://188.203.119.3, the firewall blocks the ssl traffic (the browsers shows a timeout). Although it would be nicer not to drop but to bring out a security warning or an invalid certificate, this behaviour is tolerable for us. There are not so much diginotar certificates anymore ...

Thanks for your hint.

Manfred