topic Re: SSL certificate cache in General Topics

SSL certificate cache

cryptochrome — Sun, 26 May 2013 18:18:07 GMT

Hi,

there are various settings in the decryption profile and also under Device -> Sessions -> Decryption Certificate Revocation Settings to controll how the firewall should deal with expired or self-signed certificates etc. I am currently testing these things in a Lab and I am having difficulties to see any differences in the firewall's behavior when I change any of these settings.

Example: decryption profile allows expired certificates. I can surf to a site that has an expired certificate. Now I change the decryption profile to block expired certificates but I can still open the same website. When I reboot the firewall, I can no longer open that website. So there is obviously some sort of caching going on and the fine print on the bottom of the decryption profile options dialog confirms that (it says 12 hours).

Is there some way I can control this cache or delete it without rebooting the firewall? I need to be able to change these settings so that they have an immediate effect.

Also, as a side question:

Say I have a profile that blocks expired certificates. Can I make exceptions to that? Some sort of whitelist?

Thank

Re: SSL certificate cache

cryptochrome — Sun, 26 May 2013 18:22:01 GMT

Oh, and as a third question: Where in the logs do I find SSL related messages like drops on expired certificates? I know how to find out whether a session was decrypted or not, but how do I dig deeper if I need to troubleshoot something or just filter on "all expired certificates" and things like that?

Re: SSL certificate cache

ymiyashita — Tue, 28 May 2013 01:27:37 GMT

A1. "debug dataplane reset ssl-decrypt certificate-cache" command will do the job. (This will also reset the SSL connection of Admin GUI).

A2. If it's kind of hostname based whitelist, I don't think it's possible.

A3. To see if the session is denied by expired cert, show session id <id number>" might help. It shows "session tracker stage deny : proxy decrypt failure". There might be better way to check.

Some other commands,

- show system setting ssl-decrypt ?

> certificate Show ssl-decrypt certificate

> certificate-cache Show ssl-decrypt certificate cache

> exclude-cache Show ssl-decrypt exclude cache

> memory Show ssl-decrypt memory usage

> notify-cache Show ssl-decrypt notify cache

> session-cache Show ssl-decrypt session cache

> setting Show ssl-decrypt settings

- debug dataplane reset ssl-decrypt ?

> certificate-cache Clear all ssl-decrypt certificate cache in dataplane

> certificate-status Clear all ssl-decrypt certificate CRL status cached in dataplane

> exclude-cache Clear all exclude cache in dataplane

> host-certificate-cache Clear all SSL certificates stored in host

> notify-cache Clear all ssl-decrypt notify-user cache in dataplane

> session-cache Clear all ssl-decrypt session cache in dataplane

Re: SSL certificate cache

cryptochrome — Tue, 28 May 2013 07:00:56 GMT

Awesome, Yasu. Very helpful! Thanks a lot!

Re: SSL certificate cache

Srivastava — Fri, 29 Jul 2016 00:27:16 GMT

Can we automate to clear ssl cert cache in PA ? Do we have to do it manually everytime ?

@ymiyashita wrote:
A1. "debug dataplane reset ssl-decrypt certificate-cache" command will do the job. (This will also reset the SSL connection of Admin GUI).
A2. If it's kind of hostname based whitelist, I don't think it's possible.
A3. To see if the session is denied by expired cert, show session id <id number>" might help. It shows "session tracker stage deny    : proxy decrypt failure". There might be better way to check.

Some other commands,
- show system setting ssl-decrypt ?
> certificate         Show ssl-decrypt certificate
> certificate-cache   Show ssl-decrypt certificate cache
> exclude-cache       Show ssl-decrypt exclude cache
> memory              Show ssl-decrypt memory usage
> notify-cache        Show ssl-decrypt notify cache
> session-cache       Show ssl-decrypt session cache
> setting             Show ssl-decrypt settings

- debug dataplane reset ssl-decrypt ?
> certificate-cache        Clear all ssl-decrypt certificate cache in dataplane
> certificate-status       Clear all ssl-decrypt certificate CRL status cached in dataplane
> exclude-cache            Clear all exclude cache in dataplane
> host-certificate-cache   Clear all SSL certificates stored in host
> notify-cache             Clear all ssl-decrypt notify-user cache in dataplane
> session-cache            Clear all ssl-decrypt session cache in dataplane