Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
796570686578
Collaborator

FYI: OCSP is default when using 3rd Party CAs... Automatic fallback not working

Hello everyone,

I thought I'd inform you all about a recent discovery I wasn't aware of and might be news for some of you as well.

A few weeks ago, we wanted to configure OCSP instead of CRL to validate VPN Client Certs. After a lot of back and forth we were informed that when using a 3rd Party CA (e.g. Microsoft Windows Certificate Authority) AND if there is an OCSP endpoint configured in the certificate, the gateway will automatically verify the certificate using OCSP and not CRL. Even if you have CRL configured in your LDAP Account Unit. This behavior is currently not documented at all, at least I didn't find it anywhere and CP support confirmed that as well. So you don't need to follow https://support.checkpoint.com/results/sk/sk37803 to configure OCSP. 

 

The worst thing is that automatic fallback to CRL is currently not working and there is no priority on fixing this issue. Support was not able to tell me an ETA on a fix. I'm surprised that there is no priority on fixing this issue since I'm sure there are quite a lot of customers using certificates with a 3rd Party CA for authentication...

Maybe if more customers ask for an ETA or RFE, they will prioritize it.

 

How to check if you are using OCSP or CRL:

OCSP is enabled:

 

[Expert@gw01:0]# ckp_regedit -p SOFTWARE/CheckPoint/VPN1 use_crl_for_revocation_method
SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 }

 

 

CRL is enabled:

 

[Expert@gw01:0]# ckp_regedit -p SOFTWARE/CheckPoint/VPN1 use_crl_for_revocation_method
SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 use_crl_for_revocation_method=[n]1 }

 

 

If your OCSP server is not responding, you currently have to set a parameter manaualy to switch to CRL.

Additionally, you can perform a packet capture between your gateway and CA to check whether OCSP or CRL requests are sent.

 

If you have any questions, feel free to ask!

 

Have a great day & best regards

 

(1)
1 Reply
PhoneBoy
Admin
Admin

Thanks for letting the community know!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events