When enabling OCSP and having a self signed certificate for SSL decryption
(we push the certificate to all our domain clients)
will OCSP check my self signed certificate against the OCSP responder (and fail because it is unknown)?
Or will it only check the original destination server certificate (for example that of facebook)?
Solved! Go to Solution.
The OCSP extension will simply not be built in the client-side certificate by default.
If you choose to use an OCSP responder on the self-signed certificate, the client will use that OCSP responder. It won't fail, because the OCSP responder will not find a revoked serial number (it won't find any serial number, but that's not the purpose of OCSP).
Hope this helps!
Allright, OCSP is not completely clear to me yet.
Would you not use it purely for client certificates?
And if so, how do you dissable it to check all server certificaes when ssl decryption is enabled.
Because when we set this up and we use SSL decryption, we get untrusted warnings for all certificates. To solve this, we would need to configure an OCSP responder for all CA's separately, which obviously is not possible.
OCSP is pretty uncommon to be used for SSL decryption. I most commonly see it used for the firewall login itself (using a trusted or in-house CA), captive portal, and global protect.
The reason you get untrusted warnings on all certificates with SSL decryption is because the firewall is creating a new certificate on the fly for the host you are visiting. For example, if your client visits https://live.paloaltonetworks.com, instead of the certificate being issued by GoDaddy as ours is, it is issued by your firewall. The firewall copies the Common Name and dates from the official GoDaddy cert on that site, but has to issue a new one for the client.
Unless the client trusts that firewall CA certificate, every site will be untrusted. This is the nature of SSL Decryption (technically it is a man-in-the-middle).
I know, that is PA ssl decryption 101 :-)
I mean even with the client having the root CA in his trust, we still get all untrusted certificates.
(without OCSP the ssl decryption works fine)
Looks like the OCSP is not checking the root CA, but is checking if the original certificate (for example facebook) is not revoked...
I wouldn't expect using OCSP would have any effect on decryption. I think that it might be worth creating a case with support as long as your firewall is under a support contract. The client doesn't get the original certificate, so it wouldn't be possible for them to check to see if it is revoked or not.
When you open your support ticket, please point to this discussion for additional background.
Owkey, then it seems my initial understanding of OCSP was somewhat correct and this should not have any impact on ssl decryption.
I have opened a tech support case (pointing to this discussion).
I will give an update as soon as I have one.
Tanx for all the help Greg!
a quick update: seems we were hitting a bug.
it seems there was a filename buffer overflow. so when we enable ocsp and the PA did a check to find the PA responder it would fail because the filename was to long.
(extract from the sslmgr.log file: pan_ocsp_certchain_to_file(pan_crl.c:1104): Error opening /opt/pancfg/certificates/predefined/VeriSign, Inc., )
The fix for the original issue is still being tested. I will update you with further OS version information when available.
The fix will extend the CA filename buffer to eliminate the error message we are seeing in sslmgr.log. Also, it will clean up the cert status representation on the dataplane.
Can you please tell some details? I think we're hitting a same bug:
Jun 21 08:34:15 Error: sslmgr_parse_request(sslmgr_main.c:820): Truncated buffer(8188)
Jun 21 08:38:31 Error: pan_ocsp_certchain_to_file(pan_crl.c:1078): Error opening /opt/pancfg/certificates/predefined/VeriSign, Inc.,
Jun 21 08:38:31 Error: pan_ocsp_fetch_ocsp(pan_crl.c:1922): pan_ocsp_certchain_to_file() failed
The certificate for the site https://neo.ubs.com is valid but our pa says the certificate is expired.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!