cancel
Showing results for 
Search instead for 
Did you mean: 
btlyric
Level 12

Random Revoked Certificate Situations

I haven't really focused in on this yet, but I've been seeing some situations where MWG reports that a certificate has been revoked, but out of band systems don't confirm that.

Although I have seen this with other sites, one of the main ones I see it with are Cisco sites.

Specifically:

cisco-tags.cisco.com 

news-tags.cisco.com 

mcc-tags.cisco.com 

Thoughts?

0 Kudos
4 Replies
chrisfi
Level 7

Re: Random Revoked Certificate Situations

That's interesting.

At the moment I configure our first (test-)MWG7-system with SSL-inspection and i have the same problem with the following (Cisco-)site:

https://www.webex.de/login/attend-a-meeting

Does anybody know, what's the reason for this?

When a client connects directly to the site (without MWG), there is no problem.

0 Kudos
McAfee Employee

Re: Random Revoked Certificate Situations

I have seen this before, Cisco has a CA for which they have not properly configured OSCP or the CA does not know of it's subordinate:

Issuer: DST Root CA X3

SubCA: Cisco SSCA2

These appear to be the same CAs used in the URLs you have given.

The MWG checks with the CA's OSCP responder, and the CA (DST Root CA X3), retruns an "unknown" response for the subCA (Cisco SSCA2). This is why the block occurs.

Best,

Jon

0 Kudos
btlyric
Level 12

Re: Random Revoked Certificate Situations

@chrisfi

WebEx isn't actually HTTP traffic encapsulated in SSL and the proxy doesn't understand what to do with it. A Stop Cycle rule for the WebEx destination will allow the traffic.

There's a McAfee subscription list that you can use for WebEx destination IP addresses and there's a template rule set for WebEx on contentsecurity.mcafee.com -- rule set 50027. The rule should go above your SSL Scanner rules.

chrisfi
Level 7

Re: Random Revoked Certificate Situations

@btlyric:

Thanks for the tip.

I tested with the Ruleset from the library and it works fine.

0 Kudos