09-05-2011 04:06 AM
09-29-2011 01:58 AM
Hi Benjamin,
since restarting our firewall (running 3.1.10), we see, for example by surfing on https://balie.culemborg.nl/, a "drop-all-packets" in the threat log. But in fact, the firewall does not drop the traffic nor shows any error or warning in the decrypted certificate. So we have the bizarre situation having error hints in browsers without PA firewall (as all browsers have removed the diginotar CA), but no warnings in browsers which are secured by a PA firewall (because all browsers accepts the PA certificate, which is used to re-encrypt the SSL traffic).
regards
Manfred
10-05-2011 08:24 PM
@mhuels:
Have you configured the CRL/OCSP options on the Device tab -> Server CRL / OCSP Settings screen?
-Benjamin
10-06-2011 02:14 AM
bpappas schrieb:
@mhuels:
Have you configured the CRL/OCSP options on the Device tab -> Server CRL / OCSP Settings screen?
-Benjamin
Hi Benjamin,
up to now, we did not have configured anything in the CRL/OCSP tab. Since 5 minutes, we have enabled the checking of revocation lists via CRL and OCSP. Testing on https://188.203.119.3, the firewall blocks the ssl traffic (the browsers shows a timeout). Although it would be nicer not to drop but to bring out a security warning or an invalid certificate, this behaviour is tolerable for us. There are not so much diginotar certificates anymore ...
Thanks for your hint.
Manfred
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
