4 Replies Latest reply on May 16, 2014 3:09 PM by consoul

    Enable Certificate Verification + Bypass SSL Content Inspection


      I'm testing a rule set that will skip SSL content inspection for a set of connections when one of the criteria is that the SSL Certificate CN matches in a specific list.


      It looks something like this:


      New Rule Set

         Top level criteria: Command.Name equals CONNECT or Command.Name equals CERTVERIFY


      Set Client Context for SSL

         Criteria: Command.Name equals CONNECT

         Action:   Continue

         Event:   Enable SSL Client Context with CA <Default CA>


      Enable Certificate Verification

         Criteria: Command.Name equals CONNECT AND URL.Destination.IP matches in list LIST

         Action:   Stop Cycle

         Event:    Enable SSL Scanner <Default Certificate Verification>


      Skip SSL Inspection

         Criteria: URL.Destination.IP matches in list LIST AND SSL.Server.Certificate.CN matches in list CN-list AND  SSL.Server.Certificate.DaysExpired less than 7 and SSL.Server.CertificateChain.ContainsRevoked<CAs> equals false

         Action:   Stop Cycle


      This appears to work as expected, but I was wondering if there were any gotchas I should take into consideration.