This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marcel_Gramalla
Advisor
‎2021-07-27 11:07 PM
Jump to solution

HTTPS Inspection - no revocation in certificate (CRL or OCSP)

Hi,

we are using R80.40 with enabled HTTPS Inspection. Everything for normal users is working fine but we have issues with command line tool because they are unable to validate the certificate. I know that on some libraries etc. we have to manually trust the certificate itself but the issue we are facing is related to the revocation list. Here is an example from a simple curl:

curl_error.PNG

I noticed that the certificates that the gateways create doesn't include any CRL or OCSP information as you can see here:

cert_extensions.PNG

The certificate that is on the gateways itself however includes a CRL which might be the reason we don't any issues with normal browsers:

cert_subca_extensions.PNG

I haven't found any information or SK that is applicable here. Maybe some of you have any idea on how to solve that.

0 Kudos
1 Solution

Accepted Solutions
Sajgon107
Participant
‎2024-08-21 12:31 AM
In response to Marcel_Gramalla
Jump to solution

Hello,

there is an SK for particular topic - sk181363

View solution in original post

6 Replies
Martin_Raska
Advisor
Advisor
‎2021-07-28 07:06 AM
Jump to solution

You need to pass the -k or --insecure option to the curl command. This option explicitly allows curl to perform “insecure” SSL connections and transfers.

0 Kudos
Marcel_Gramalla
Advisor
‎2021-07-28 07:12 AM
In response to Martin_Raska
Jump to solution

I know this workaround but that's not the point of the thread. The certificate is trusted and I only need --ssl-no-revoke to make it work. The question is why the certificate from the gateway doesn't include these information (CRL or OCSP) as shown in the screenshots. 

0 Kudos
Martin_Raska
Advisor
Advisor
‎2021-07-28 07:24 AM
Jump to solution

In my HTTPS inspection, CLR is missing also. You will probably need to use an external CA cert with CRL for HTTPS inspection.

0 Kudos
Marcel_Gramalla
Advisor
‎2021-07-28 07:31 AM
In response to Martin_Raska
Jump to solution

Good to hear that I'm not alone with this problem. What do you mean by "use an external CA cert with CRL for HTTPS inspection"? We don't use the default Check Point certificate. We already have an own self-signed certificate which includes the CRL. It's only the website certificate itself that is missing the CRL. 

Our McAfee Web Gateway for example includes the CRL in the certificate. I will open a ticket if nobody has any further information here.

0 Kudos
Marcel_Gramalla
Advisor
‎2021-08-17 09:14 AM
Jump to solution

Just want to update this thread as TAC (after three weeks...) has confirmed with R&D that this is a known issue and they are working on it. But no ETA and no private hotfix was offered. 

I asked them to create an SK or something. If they create something public I will share the information.

Sajgon107
Participant
‎2024-08-21 12:31 AM
In response to Marcel_Gramalla
Jump to solution

Hello,

there is an SK for particular topic - sk181363

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events