search cancel

SSLV Appliance is not offloading TLS sessions for the Proxy after Birth Certificate Expired on Nov. 15, 2021

book

Article ID: 228426

calendar_today

Updated On:

Products

SSL Visibility Appliance Software ProxySG Software - SGOS

Issue/Introduction

In some cases the SSLV is not able to offload TLS session for the Proxy after November 15th, 2021

 

Cause

On November 15th, 2021 the Intermediate CA used to sign the SSLV's birth certificate expired. This birth certificate is used for mutual authentication between the SSLV and ProxySG. All customers were required to update the license and upgrade to 4.5.6.1 or later according to KB 207140.

It has been seen in some instances that the SSLV is not using the new birth certificate when communicating with the ProxySG for TLS offload. 

In the SSL Session Logs flows may fail with "Invalid TLS Event" for flows that should be decrypted.

In the ProxySG Event Logs an error can be seen as follows "CFSSL VERIFY ERROR: depth=1 error=certificate has expired: /C=US/ST=California/L=Sunnyvale/O=Blue Coat Systems, Inc./OU=ABRCA/CN=SGVA" 

Resolution

Manually upload a new license and passphrase to the SSLV Appliance. It is important to have the passphrase as this creates a new birth certificate. This can be obtained from the Broadcom Support Portal under My Entitlements.

To force the SSLV to use the new birth certificate that was just uploaded restart the SSLV from the UI.