CCR Renegotiation List no longer working in 6.7.4.4+

book

Article ID: 206752

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

The CCR (Client Certificate Requested) renegotiation list is a feature used to keep track of servers which request a client certificate via handshake renegotiation.

This is useful when the policy client.certificate.requested=yes ssl.forward_proxy(no) is deployed to automatically disable SSL interception for hosts which request a client certificate.

The use case is such that the server does not request a client certificate on the initial handshake but may request one later on during the TLS session. While the first connection will break as the proxy will likely not be configured to provide an acceptable client certificate, by keeping track of hosts which do this, we are able to disable SSL interception on subsequent connections so they will work.

 

This feature is no longer working as of SGOS 6.7.4.4

Resolution

This issue has been fixed in SGOS 6.7.5.12.

A workaround is to explicitly disable SSL interception for the affected sites.