Monitor Server Certificate Response Codes for Proxied HTTPS Traffic

book

Article ID: 171396

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Symantec recommends that all SGOS-based appliances are installed with the strongest security policy possible. In an ideal world, denying all traffic from HTTPS sources that offer invalid HTTPS certificates would be a good first step. Unfortunately, that type of policy can result in blocking your users from accessing legitimate resources, as not all HTTPS certificates are properly maintained.

This article provides steps to configure policy for the purposes of monitoring HTTPS traffic, and recording invalid certificates in the SSL access log. You can use your preferred log analysis tool, (such as Blue Coat Reporter, or Splunk) to analyze this data and report on the sites your users access most that happen to present invalid HTTPS certificates. With this data in hand, you can plan further changes to your SSL security policy to whitelist trusted sites that don’t offer good HTTPS certificates, and prevent users from accessing unknown sites that do the same.

Environment

This article applies to forward proxy deployments of SGOS appliances: ProxySG, Advanced Secure Gateway, and SWG VA.

Resolution

In following this solution, you will create a new access log with a custom format to track SSL errors, a policy to use the new log, and tweak the default Online Certificate Status Protocol (OCSP) settings to prevent the appliance from rejecting this traffic during your analysis phase.

  1. Create a new access log via the proxy Command Line Interface (CLI).

    1. Log in to the proxy CLI with SSH, and enter enable mode (en) and configuration terminal mode (conf t). 
    2. Enter the following commands: 

(config)# access-log

(config access-log)# create format bcreporterssl_v2

(config access-log)# edit format bcreporterssl_v2

(config access-log bcreporterssl_v2)# type elff "date time c-ip x-exception-id sc-filter-result cs-categories sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-category cs-threat-risk x-rs-certificate-hostname-threat-risk"

(config access-log bcreporterssl_v2)# exit

(config access-log)# create log sslvalidation

(config access-log)# edit log sslvalidation

(config access-log sslvalidation)# format-name bcreporterssl_v2

exit

  1. Create ssl access and ssl intercept policy (local/central cpl)

    1. Open the web management console and go to Configuration > Policy > Policy Files.
    2. Select local policy, text editor, and click edit policy.
    3. Enter the following policy: 

<ssl>
    server.certificate.validate(no)

<ssl-intercept>
    ssl.forward_proxy(no)

<proxy> client.protocol=ssl
    url.domain=websecurity.symantec.com access_log.sslvalidation(yes)
    url.domain=badssl.com access_log.sslvalidation(yes)

** replace the above objects with an any any rule in this layer-guarded layer, that uses the access_log.sslvalidation(yes) object to test all HTTPS traffic over a specific monitoring period.

  1. Adjust the default OCSP settings in the proxy CLI

    1. Log in to the proxy CLI with SSH, and enter enable mode (en) and configuration terminal mode (conf t).
    2. Type the following set of commands: 

ocsp
create OCSP_check1
edit OCSP_check1
issuer-ccl browser-trusted
exit

  1. Monitor the resulting access logs for problems, note the most common hosts.

    1. Monitor for OCSP Revocation: 

      • If SSL server certificate validation is activated and a OCSP is configured, revoked certificates can be monitored as well.

        x-rs-certificate-observed-errors = revoked-by-ocsp

        2017-02-21 12:28:55 192.0.200.5 - OBSERVED "Technology/Internet" 0 FAILED unknown - ssl revoked.websecurity.symantec.com 443 - 192.168.1.211 0 0 - revoked-by-ocsp - none high *.websecurity.symantec.com "Technology/Internet" 1 1

        2017-02-21 12:30:51 192.0.200.41 - OBSERVED "Technology/Internet" 0 FAILED unknown - ssl revoked.badssl.com 443 - 192.0.200.211 0 0 - revoked-by-ocsp - none high revoked.badssl.com "Technology/Internet" 4 4

    2. Monitor for certificate hostname mismatch:
      • 2017-02-21 12:06:50 192.0.200.41 - OBSERVED "Technology/Internet" 0 TUNNELED unknown - ssl wronghost.websecurity.symantec.com 443 - 192.0.200.211 0 126 - none - - high cryptoreport.symantec.com "Technology/Internet" 1 1

        2017-02-21 12:07:18 192.0.200.41 - OBSERVED "Technology/Internet" 0 TUNNELED unknown - ssl wrong.host.badssl.com 443 - 192.0.200.211 0 126 - none - - high *.badssl.com "Technology/Internet" 4 4