Configure OCSP to perform real-time certificate revocation status checks

book

Article ID: 171148

calendar_today

Updated On:

Products

ProxySG Software - SGOS SG-300 Symantec WebFilter (formerly Blue Coat WebFilter - BCWF) SG-600 Intelligence Services SG-510 SG-810 SG-9000 SG-900 SG-S500 SG-S400 Secure Web Gateway Virtual Appliance SG-S200 SWG VA-100

Issue/Introduction

Because each CRL you store on the ProxySG appliance requires memory for storage, you should consider using OCSP if you find that you require a large number of CRLs. With OCSP, you do not need to store the CRLs locally on the appliance. Instead, the ProxySG appliance acts as an OCSP and queries a remote OCSP responder on the intranet or Internet each time it needs to verify a certificate. In addition, OCSP provides the most secure means of checking certificate revocation status because the checks are done in real time.

Resolution

The OCSP responder sends one of the following certificate statuses back to the ProxySG (the OCSP client):

  • Good - The certificate is not revoked and valid at the time of the query.
  • Revoked - The certificate has been revoked either permanently or temporarily.
  • Unknown - The responder does not know the revocation status of the certificate.

The ProxySG can also cache OCSP responses and has the ability to respect, override or ignore the timestamp related to cache ability in the OCSP response.

For more details on how to use OCSP with the ProxySG, refer to the SGOS Administration Guide.
To enable an OCSP revocation check, configure an OCSP responder profile:

  1. Select Configuration > SSL > OCSP.
  2. Click New to create a new OCSP responder. Create OCSP responder dialog displays.
  3. Configure the OCSP responder options:
    1. Enter a Name for the responder.
    2. URL - Indicates the location of the OCSP responder. The ProxySG needs this URL to locate the responder. This location can be obtained from the certificate's Authority Information Access (AIA) extension or from a user-defined configuration. The default is to use the URL from the certificate.
      • Use URL from certificate - Select this option if you want the ProxySG to look up the OCSP server location from the subject certificate's AIA extension.
      • Use URL - Select this option if you know the location of the designated OCSP responder. Enter a specific responder HTTP borsht URL.
  4. Issuer CCL - This option is used to decide which responders to contact for a given client or server certificate. Typically, each certificate issuer uses a designated OCSP responder for all the certificates it issues. The issuer CCL attribute allows the administrator to specify the certificate authorities (issuers) for which the responder in question is the designated responder. This means that when a certificate is signed by one of the CAs in this CCL, the OCSP query for that certificate will be sent to this responder. From the drop-down list, select a CA Certificate List (CCL) that contains the CA certificate names for which this is the designated responder. Each CA may only appear in one responder's Issuer CCL. The default is None. Thus, for a given certificate, this CCL is used to determine which responder to use when doing an OCSP check.
  5. Response CCL - This attribute is used during verification of OCSP responses. From the drop-down list, select the CCL list you want to use. The default value is browser-trusted.
  6. Device Profile - This attribute is used when the responder URL is an HTTPS URL. From the drop-down list, select the device profile you want to use when connecting to the OCSP server via SSL. All existing profiles on the ProxySG appear. The device profile is a unique set of SSL ciphers suites, protocols, and keyrings. When the responder URL is HTTPS the ProxySG makes the HTTPS connection with this responder using its device profile. If the URL is HTTP the device profile is not used. The default value for the device profile attribute is default.
  7. Response Cache TTL - This option indicates how many days an OCSP response is cached on the ProxySG. The default is to use TTL from OCSP response.
    • Use the TTL from OCSP response - Select this option to use the value of next Update timestamp (see section 2.2 of RFC 2560) in the OCSP response. If this timestamp is not set or is in the past, the OCSP response is not cached on the ProxySG. The ProxySG permits a clock skew of up to five minutes with the responder's clock when validating the next Update timestamp.
    • Use the TTL - Enter the length of time (in days) you want the OCSP response to be cached regardless of next Update timestamp in the OCSP response. If TTL is set to 0, the response is not cached.
  8.  Enable forwarding - This option specifies that OCSP requests are to be sent through a forwarding host, if configured. The default is to have forwarding enabled. Based on whether the responder URL is HTTP or HTTPS the usual forwarding rules apply.
  9. Configure the extensions options:
    1. Enable nonce - To avoid replay attacks, click Enable nonce. A nonce is a random sequence of 20 bytes places in an OCSP response. The default is to disable the use of a nonce.
    2. Request signing keyring - This keyring is used when an OCSP request is required to be signed. In this case, the ProxySG includes the certificate chain (minus the root CA) that is associated with this keyring to help the OCSP responder verify the signature. When a valid keyring is selected then OCSP request signing is enabled. When None is selected no request signing occurs.
  10. Configure the following Ignore Settings:
    • Ignore request failures - This setting ignores various connection errors. By default, connection errors are not ignored. The following failures are ignored by this setting:
      • The responder's URL is set to from-certificate and the URL in the certificate's AIA extension is neither HTTP or HTTPS, or is not a valid URL. The TCP layer fails to connect with the responder. The responder URL is HTTPS and the initial SSL connection fails with the responder. The TCP connection times out while reading the response from the responder. The TCP connection fails for any reason not already listed.
      • The responder URL is HTTPS and a hostname mismatch error occurs on the responder's certificate.
      • The responder URL is HTTPS and an error occurs while analyzing the response. Any other error not caught is covered by the following ignore settings.
      • The OCSP responder returns an error message that is described in section 2.3 of RFC 2560. For instance, when an OCSP query is sent to a responder that is not authorized to return an OCSP status for that certificate, the responder returns and unauthorized error, that appears as Responder error (unauthorized) in event-log of the ProxySG. Enabling this setting causes this error to be ignored as well as other errors described in the RFC.
      • The OCSP responder returns a response that is not a basic OCSP response (see section 4.2.1 of RFC 2560).
    • Ignore expired responder certificate - This setting ignores invalid dates in the responder certificate. By default, invalid responder certificate dates cause the subject certificate verification to fail.
    • Ignore untrusted responder certificate - This setting ignores the response validation error that occurs when the responder's certificate cannot be trusted. By default, any untrusted certificate failure is an error and causes subject certificate verification to fail.
    • Ignore OCSP signing purpose check - This setting ignores errors related to the OCSP signing delegation and applies only to Scenarios B and C. (Refer to "Basic OCSP Setup Scenarios" in the SGOS Administration Guide.)The errors might occur in one of two ways:
      • Scenario B - The response signer certificate is not delegated for the OCSP signing. The event log records this error as missing OCSP signing usage.
      • Scenario C - The root CA does not have the trust setting enabled for the OCSP Signing. The event log records this error as root CA not trusted.
      • Either of these errors may be ignored by enabling this setting.
    • Ignore unknown revocation status - Select this setting to ignore unknown revocation status as an error. By default, unknown status is an error and causes subject certificate verification to fail.
  11. Click OK.

Click Apply.