SSL Visibility 4.x Cut Through Rules May Not Match and Get Decrypted if the Server Certificate Is Not Valid

book

Article ID: 170533

calendar_today

Updated On:

Products

SV-3800 SV-2800 SSL Visibility Appliance Software SV-1800 SV-800

Issue/Introduction

Cut through rules configured in SSL Visibility 4.x that use the unsupported-sites or custom Domain Name Lists may not match and end up getting decrypted resulting in an error message in the SSL Session Log. 

 

Cause

SSL Visibility 4.x does not match cut-through rules if the X.509 certificate is invalid. In some cases the sites in the unsupported-sites list are not configured to send the full certificate chain, causing the certificate to be considered invalid due to an Incomplete Chain. This results in a mismatch on the unsupported-sites entry. One such site that Symantec is aware of is courier.push.apple.com.

Resolution

To successfully cut through traffic to courier.push.apple.com do one of the following in order of preference:

1. Add the Server Certificate to the Trusted Certificate List 

  • Download the webserver certificate from the browser
  • Add the webserver certificate to the all-trusted-certificates list
  • In the global ruleset options change the Trusted Certificates list from (Not Set) to All Trusted Certificates and apply the changes

2. Create a new External Certificate Authorities list with the intermediate and root CA's

  • Download the Apple intermediate and root certificates from: https://www.apple.com/certificateauthority/
  • Add these to the imported-external-certificates-authorities list. See the SSL Visibility Appliance Administration & Deployment Guide for details
  • Create a new custom external certificate list called Trusted_external_imported_list and add the external certificate authorites and the individual imported certificate authorities
  • In the global ruleset options change the External Certificate Authorities list from Trusted External Certificate Authorities to Trusted_external_imported_list and apply the changes

3. Starting in 4.5.1.1 a new option to "Ignore Certificate Status" was introduced. This allows the SSLV to cut-through a flow even if the certificate status in not valid. See ArticleID: 176095 for more details.