Google and Yahoo Domains are Untrusted with SSL Decryption and FIPS Mode Enabled

Symptom

When browsing to Google or Yahoo sites with SSL decryption and FIPS mode enabled, the firewall presents the Forward Untrust Certificate to the client.

Explanation

Both Google and Yahoo present root certificates with 1024 bit keys in their certificate chains. Since 2010, certificates with 1024 bit keys are not FIPS-compliant, and therefore, a firewall in FIPS mode will not trust the certificates.

Google's certificate chain

$ openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Equifax Secure Certificate Authority

$ openssl x509 -in Equifax_Secure_Certificate_Authority.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 903804111 (0x35def4cf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Validity
Not Before: Aug 22 16:41:51 1998 GMT
Not After : Aug 22 16:41:51 2018 GMT
Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)

Yahoo's certificate chain

$ openssl s_client -connect yahoo.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=www.yahoo.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

Class 3 Public Primary Certification Authority

$ openssl x509 -in Class-3-Public-Primary-Certification-Authority.pem -text -noout

Certificate:
Data:
Version: 1 (0x0)
Serial Number:
3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Validity
Not Before: Jan 29 00:00:00 1996 GMT
Not After : Aug 2 23:59:59 2028 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)

Workaround

There is no way to force the firewall to trust certificates with 1024 bit keys when FIPS mode is enabled.

You can exempt Google and Yahoo sites from SSL decryption using the following steps:

1. Create a custom URL Category on the Objects > Custom Objects page that contains the following URLs:

*.google.com

*.yahoo.com

2. Create a new decyption policy on the Policies > Decryption page.

a. Set the source and destination to match the existing decryption policy.

b. Set the URL Category to the custom category created in Step 1.

c. Under the Options tab, select "No Decrypt".

d. Place the "No Decrypt" policy above the existing decryption policy and commit.