Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marcel_Gramalla
Advisor

HTTPS Inspection - no revocation in certificate (CRL or OCSP)

Hi,

we are using R80.40 with enabled HTTPS Inspection. Everything for normal users is working fine but we have issues with command line tool because they are unable to validate the certificate. I know that on some libraries etc. we have to manually trust the certificate itself but the issue we are facing is related to the revocation list. Here is an example from a simple curl:

curl_error.PNG

I noticed that the certificates that the gateways create doesn't include any CRL or OCSP information as you can see here:

cert_extensions.PNG

The certificate that is on the gateways itself however includes a CRL which might be the reason we don't any issues with normal browsers:

cert_subca_extensions.PNG

I haven't found any information or SK that is applicable here. Maybe some of you have any idea on how to solve that.

0 Kudos
5 Replies
Martin_Raska
Advisor

You need to pass the -k or --insecure option to the curl command. This option explicitly allows curl to perform “insecure” SSL connections and transfers.

0 Kudos
Marcel_Gramalla
Advisor

I know this workaround but that's not the point of the thread. The certificate is trusted and I only need --ssl-no-revoke to make it work. The question is why the certificate from the gateway doesn't include these information (CRL or OCSP) as shown in the screenshots. 

0 Kudos
Martin_Raska
Advisor

In my HTTPS inspection, CLR is missing also. You will probably need to use an external CA cert with CRL for HTTPS inspection.

0 Kudos
Marcel_Gramalla
Advisor

Good to hear that I'm not alone with this problem. What do you mean by "use an external CA cert with CRL for HTTPS inspection"? We don't use the default Check Point certificate. We already have an own self-signed certificate which includes the CRL. It's only the website certificate itself that is missing the CRL. 

Our McAfee Web Gateway for example includes the CRL in the certificate. I will open a ticket if nobody has any further information here.

0 Kudos
Marcel_Gramalla
Advisor

Just want to update this thread as TAC (after three weeks...) has confirmed with R&D that this is a known issue and they are working on it. But no ETA and no private hotfix was offered. 

I asked them to create an SK or something. If they create something public I will share the information.