I have set up Client Certification Profile, and use in SSL VPN. I tried to revoke a cert. Firefox already able to valid that cert is invalid but PaloAlto still allow that certificate, I was able to verify from my OSCP server that PaloAlto had a successful query to my server, but I dont know what it is still allowing that revoked cert in SSL VPN.
I checked on the log, the ocsp responder replied the cert is revoked. But seems PA ignore the reply and retry 3 times and timeout the cert. If I check block timeout cert, all cert will be blocked. If I uncheck block time cert, all cert will be allowed. I do not know why it timeout the cert while system log already set it get response from OCSP that the cert was revoked or Good. I think it is a bug.
It looks like we are able to contact the OCSP responder and get the correct certificate status. It's not clear from your posts whether a revoked certificate is being allowed or timing out? Do valid certificates work and and do we log the correct response? Are your results similar or different with IE? Have you tried just CRL checking? I would expect that if a revoked certificate is presented that we would not allow it and present a page saying it is revoked. What version PANOS are you running?
I am using PA2050 PanOS4.02.
I also want to know is the cert if being timeout or allowed.
On OSCP responder log, I can check PA2050 queries and the response to PA2050
On PA2050, as the capture, it shows the cert has been revoked. (I cannot find log for good cert though, I don"t know if PA do not log good cert events or it cannot get response)
However both good or revoked cert is not allowed if the "block timeout cert" is checked.
And other reason I think all cert has been timeout is PA do retry every query 3 times.
So the unknown area is:
1. It looks like PA2050 timeout all revoked and good cert, but interestingly it actuallly got response from OSCP responder which able to log a revoked cert events.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!