Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
829
Views
0
Helpful
2
Replies

WSA removes CRL information in certificate.

FredrikW73
Level 1
Level 1

‎09-06-2022 02:11 AM - edited ‎09-08-2022 01:51 AM

Our WSA-proxy performs TLS-decryption for End-User Notification. 
If a user tries to visit a webpage in a forbidden URL category (not permitted by policy) then a block message is shown. 
If the user uses Firefox or Google Chrome then everything works as intended. 
If the user however uses Microsoft Edge then he will get a certificate warning complaining that there is no information
regarding revocation checks:  "NET::ERR_CERT_NO_REVOCATION_MECHANISM".

I understand that this is because the WSA removes CRL info from the certificate. 
Firefox and Google Chrome don´t mind this but Microsoft Edge complains.
Is there a way to configure the WSA to include info about a revocation mechanism for the temporary certificates it generates?

As it is now, TLS-decryption is not usable for Microsoft Edge users in our network (i.e. 95 % of all users).

Labels:
0 Helpful
2 Replies 2

amojarra
Cisco Employee
Cisco Employee

‎09-07-2022 03:49 AM

Hi @FredrikW73 

WSA uses OCSP to do certificate revocation .

Online Certificate Status Protocol (OCSP). The Web Security appliance checks the revocation status with the issuing certificate authority in real time. If the issuing certificate authority supports OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by default for fresh installations and disabled by default for updates

 

Previously there were some issue with older versions of Google chrome, they did not support OCSP. 

you can check if it is Enabled in your Edge due to your organizations policies:

kindly check this link please : Microsoft Edge Browser Policy Documentation | Microsoft Docs

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful

FredrikW73
Level 1
Level 1
In response to amojarra

‎09-07-2022 04:49 AM - edited ‎09-07-2022 06:15 AM

I activated the OCSP check in the WSA proxy. Maybe the proxy verifies the server certificate, checking
for revocation status, but no info about revocation mechanisms is included in the decryption certificate
passed down to the client.

Microsoft Edge still do not accept the certificate for web page created by the proxy.

Below is an example of me trying to visit a web page in a blocked URL category.
The certificate created by the proxy for the notification is not accepted by Edge
browser since information about CRLs and such is missing.

Should have been a block pageShould have been a block page

0 Helpful
Customers Also Viewed These Support Documents