SSL certificate cache

Reply
L3 Networker

SSL certificate cache

Hi,

there are various settings in the decryption profile and also under Device -> Sessions -> Decryption Certificate Revocation Settings to controll how the firewall should deal with expired or self-signed certificates etc. I am currently testing these things in a Lab and I am having difficulties to see any differences in the firewall's behavior when I change any of these settings.

Example: decryption profile allows expired certificates. I can surf to a site that has an expired certificate. Now I change the decryption profile to block expired certificates but I can still open the same website. When I reboot the firewall, I can no longer open that website. So there is obviously some sort of caching going on and the fine print on the bottom of the decryption profile options dialog confirms that (it says 12 hours).

Is there some way I can control this cache or delete it without rebooting the firewall? I need to be able to change these settings so that they have an immediate effect.

Also, as a side question:

Say I have a profile that blocks expired certificates. Can I make exceptions to that? Some sort of whitelist?

Thank 

L3 Networker

Re: SSL certificate cache

Oh, and as a third question: Where in the logs do I find SSL related messages like drops on expired certificates? I know how to find out whether a session was decrypted or not, but how do I dig deeper if I need to troubleshoot something or just filter on "all expired certificates" and things like that?

Highlighted
L5 Sessionator

Re: SSL certificate cache

A1. "debug dataplane reset ssl-decrypt certificate-cache" command will do the job.  (This will also reset the SSL connection of Admin GUI).

A2. If it's kind of hostname based whitelist, I don't think it's possible.

A3. To see if the session is denied by expired cert, show session id <id number>" might help. It shows "session tracker stage deny    : proxy decrypt failure". There might be better way to check.

Some other commands,

- show system setting ssl-decrypt ?

> certificate         Show ssl-decrypt certificate

> certificate-cache   Show ssl-decrypt certificate cache

> exclude-cache       Show ssl-decrypt exclude cache

> memory              Show ssl-decrypt memory usage

> notify-cache        Show ssl-decrypt notify cache

> session-cache       Show ssl-decrypt session cache

> setting             Show ssl-decrypt settings

- debug dataplane reset ssl-decrypt ?

> certificate-cache        Clear all ssl-decrypt certificate cache in dataplane

> certificate-status       Clear all ssl-decrypt certificate CRL status cached in dataplane

> exclude-cache            Clear all exclude cache in dataplane

> host-certificate-cache   Clear all SSL certificates stored in host

> notify-cache             Clear all ssl-decrypt notify-user cache in dataplane

> session-cache            Clear all ssl-decrypt session cache in dataplane

L3 Networker

Re: SSL certificate cache

Awesome, Yasu. Very helpful! Thanks a lot!

L1 Bithead

Re: SSL certificate cache

Can we automate to clear ssl cert cache in PA ? Do we have to do it manually everytime ?


@ymiyashita wrote:

A1. "debug dataplane reset ssl-decrypt certificate-cache" command will do the job.  (This will also reset the SSL connection of Admin GUI).

A2. If it's kind of hostname based whitelist, I don't think it's possible.

A3. To see if the session is denied by expired cert, show session id <id number>" might help. It shows "session tracker stage deny    : proxy decrypt failure". There might be better way to check.

 

Some other commands,

- show system setting ssl-decrypt ?

> certificate         Show ssl-decrypt certificate

> certificate-cache   Show ssl-decrypt certificate cache

> exclude-cache       Show ssl-decrypt exclude cache

> memory              Show ssl-decrypt memory usage

> notify-cache        Show ssl-decrypt notify cache

> session-cache       Show ssl-decrypt session cache

> setting             Show ssl-decrypt settings

 

- debug dataplane reset ssl-decrypt ?

> certificate-cache        Clear all ssl-decrypt certificate cache in dataplane

> certificate-status       Clear all ssl-decrypt certificate CRL status cached in dataplane

> exclude-cache            Clear all exclude cache in dataplane

> host-certificate-cache   Clear all SSL certificates stored in host

> notify-cache             Clear all ssl-decrypt notify-user cache in dataplane

> session-cache            Clear all ssl-decrypt session cache in dataplane


 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!