SSL certificate categorization does not work for sub-domains when the OCS presents a wildcard certificate.

book

Article ID: 166933

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You have a transparent proxy deployment using SSL access rule to block SSL sites based on the BCWF categorization of the CN in the SSL certificate.

Websites which return an wildcard SSL certificate is categorized as  'none' by the ProxySG.

Resolution

When the OCS presents a wildcard certificate (e.g  *.domain.com),  the ProxySG also requires a response from DRTR as it cannot purely rely on the wildcard certificate to know what the true requested URL was.

The reason the ProxySG cannot rely on the SSL wildcard certificates alone is because in an unintercepted transparent deployment, the ProxySG only knows the IP address of the site that was requested and the domain portion in the wildcard CN.

The ProxySG will therefore not know if the user requested the 'domain URL' or a 'sub-domain URL'.

The category 'none' is returned if the IP address does not exist in DRTR and a wildcard SSL certificate is returned by the OCS.

Since SGOS 6.2.14.1 the behavior has changed. The proxy will now categorize the request based on the host of the wildcard certificate.