cancel
Showing results for 
Search instead for 
Did you mean: 
Troja
Level 14

Revoked CRL not blocked by MWG

Jump to solution

Hi all,

there is a website with a revoked certificate for test purpose. https://revoked-demo.pca.dfn.de/

If connection directy with a browser, the website is not shown and an error message is shown. (see screenshot)

revoked.JPG

But when connecting throug MWG the website is displayed.

Can anyone tell me why?

Cheers,

Thorsten

0 Kudos
1 Solution

Accepted Solutions
asabban
Level 17

Re: Revoked CRL not blocked by MWG

Jump to solution

Hello,

the list of CAs that is shipped with MWG does not contain the intermediate CAs for the mentioned host. Since the CRL/OCSP information is part of the intermediate CAs, MWG does not have any CRL/OCSP information. I will add the intermediate CAs to the CA list, to solve this issue.

Best,

Andre

0 Kudos
4 Replies
asabban
Level 17

Re: Revoked CRL not blocked by MWG

Jump to solution

Hello,

the list of CAs that is shipped with MWG does not contain the intermediate CAs for the mentioned host. Since the CRL/OCSP information is part of the intermediate CAs, MWG does not have any CRL/OCSP information. I will add the intermediate CAs to the CA list, to solve this issue.

Best,

Andre

0 Kudos
Troja
Level 14

Re: Revoked CRL not blocked by MWG

Jump to solution

Hi Andre,

sounds perfect.

Question, must this be done by McAfee or can this configuration change be done by customer also?

Best,

Thorsten

0 Kudos
asabban
Level 17

Re: Revoked CRL not blocked by MWG

Jump to solution

Hi Thorsten,

you can obtain the required CAs and CA URLs and add them to the list of CAs you are using, in case you do not use the subscribed list that is maintained at our end. In case you use the subscribed list you cannot modify it yourself, you can add an additional list with your local changes.

Best,

Andre

0 Kudos
asabban
Level 17

Re: Revoked CRL not blocked by MWG

Jump to solution

Hello,

the missing certificates are now part of the live list. When I go to the mentioned website the request is now blocked by the "block revoked certificates" rule as expected.

Best,

Andre

0 Kudos