cancel
Showing results for 
Search instead for 
Did you mean: 
fab
Level 7

MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

Dear Community

Setup: Media Type Filtering with default Rules --> Block undetectable Data: Property List.OfMediaType.IsEmpty (MediaType.EnsuredTypes) == true

Looks like OCSP/CRLs requets are dropped with this rule for example:

|403|POST http://ocsp.thawte.com HTTP/1.1|Business, Software/Hardware|Minimal Risk||3287|353|Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_09||20||ocsp.thawte.com

This issues seems to be with all OCSP/CRL Requests to Thawte or Verisign URLs. Any other idea to solve this problem other then whitelisting these requests?

Working Bypass Log Entry:

200|POST http://ocsp.thawte.com HTTP/1.1|Business, Software/Hardware|Minimal Risk|application/ocsp-response|1605|353|Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_09||0||ocsp.thawte.com

Note:

- Looks like the Media Type is not detected, if passed through the Media Typ /Composite Opener the application requests is identified: "application/ocsp-response"

- Authentication works fine

Thanks for your input!

Regards,

Fab

0 Kudos
8 Replies
alexott
Level 11

Re: MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

Hi

Can you capture data in these POST request and post them here? Without data we aren't able to check this

thank you

0 Kudos
fab
Level 7

Re: MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

dear akexott

do you want client or also gateway side tcp dumps?

thx

0 Kudos
alexott
Level 11

Re: MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

it's enough to have client's tcpdump - I want to see which data are sent from client. If possible, can you make several dumps, so we'll have different data files

thank you

0 Kudos
fab
Level 7

Re: MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

This is a typical OCSP Request from the client. This requests stays the same if I have the OCSP Rule activated or not. With the OCSP Rule in Place, we ill cet a OCSP Response: Successful (0)

If you want full TCP Dumps, I would need your email address.

Thanks!

0 Kudos
alexott
Level 11

Re: MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

alex_ott at mcafee.com

thank you

0 Kudos
trevorw2000
Level 10

Re: MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

Was there a solution or workaround for this in respect of allowing the CRL/OCSP requests?  It's an issue I'm seeing as well.

Thanks!

0 Kudos
alexott
Level 11

Re: MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

Hi

can you capture traffic that causes this problem, and sent dump to address specified above?

thank you

0 Kudos
fab
Level 7

Re: MWG 7.2/7.3 Media Typ Filtering CRL/OCSP Requests

Hello all

@ales: message is on the way.

@trevorw2000: the issue has been forwarded to mcafee and is now a "feature" request. the working solution is still the mentioned workaround rules to bypass the "non"-detection:

Something like:

IF Property List.OfMediaType.IsEmpty (MediaType.EnsuredTypes) == true

AND

IF Destination URL / IP is http://ocsp.thawte.com

THEN Stop Ruleset

regards

fab

0 Kudos