SSL server certificate validation best practices
Article ID: 169432
Updated On:
Products
Issue/Introduction
You want to know about best practices for implementing server certificate validation for Forward proxy deployment.
Resolution
For a typical forward proxy deployment it is recommended to have server certificate validation enabled for HTTPS requests. By default server certificate validation is enabled unless its disabled via policy in VPM or CPL.
If certificate validation is disabled for all HTTPS requests with policy setup like below, this may expose client machines to HTTPS sites where the server certificate is expired, spoofed, issued by unknown signing authority or revoked.
With Visual Policy manager (VPM)
With Content policy Language (CPL)
<ssl> server.certificate.validate(no)
It is recommended to use disable server certificate validation policy selectively for know destination hosts, domains, IPs etc, where the HTTPS site could possibly an internal site or a site that is known to proxy admins but has certificate problems, i.e. untrusted issuer, expired, host name mismatch. Below is a sample of how to disable server certificate validation by domain
With Visual Policy manager (VPM)
With Content policy Language (CPL)
<ssl> url.domain=//mysite.local/ server.certificate.validate(no)
When ProxySG , ASG , SWG VA is deployed in forward proxy mode, regardless of whether SSL decryption is enabled or not, it will always perform server certificate validation under following conditions:
- For explicit deployment when with detect protocol options enabled under services --> Explicit HTTP proxy listeners or detect protocol enabled with via VPM or CPL
- For transparent deployment when proxy services --> HTTPS port 443 listener is intercepted with SSL proxy OR with with TCP tunnel proxy + detect protocol enabled
Feedback
