«SSL M a nag er C e rt if i ca t e V e ri f ic at io n Eng ine We bsense Cont ent G ate way v7. 6.2 Websense Content Gateway SSL Manager Certificate ...»
SSL M a nag er C e rt if i ca t e V e ri f ic at io n Eng ine
We bsense Cont ent G ate way
Websense Content Gateway SSL Manager Certificate Verification Engine
Copyright © 1996-2012 Yahoo, Inc., and Websense, Inc. All rights reserved.
This document contains proprietary and confidential information of Yahoo, Inc and Websense, Inc. The contents of this document may not be
disclosed to third parties, copied, or duplicated in any form, in whole or in part, without prior written permission of Websense, Inc.
Websense, the Websense Logo, ThreatSeeker and the YES! Logo are registered trademarks of Websense, Inc. in the United States and/or other countries. Websense has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.
Every effort has been made to ensure the accuracy of this manual. However, Websense Inc., and Yahoo, Inc. make no warranties with respect to this documentation and disclaim any implied warranties of merchantability and fitness for a particular purpose. Websense Inc. shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.
Traffic Server is a trademark or registered trademark of Yahoo! Inc. in the United States and other countries.
Red Hat is a registered trademark of Red Hat Software, Inc.
Linux is a registered trademark of Linus Torvalds.
Microsoft, Windows, Windows NT, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Mozilla and Firefox are registered trademarks of the Mozilla Foundation.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and in other countries.
UNIX is a registered trademark of AT&T.
All other trademarks are property of their respective owners.
RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure of the technical data contained in this document by the Government is subject to restrictions as set forth in subdivision (c) (1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 52.227-7013 and/or in similar or successor clauses in the FAR, or in the DOD or NASA FAR Supplement. Unpublished rights reserved under the Copyright Laws of the United States. Contractor/manufacturer is Websense, Inc, 10240 Sorrento Valley Parkway, San Diego, CA 92121.
Portions of Websense Content Gateway include third-party technology used under license. Notices and attribution are included elsewhere in this manual.
1 SSL Manager Certificate Verification Engine v7.6.2 The Websense® Web Security Gateway proxy component – Content Gateway – includes a feature called SSL Manager. SSL Manager oversees SSL and TLS (HTTPS) connections, decryption, analysis of content, and re-encryption.
This article describes the most effective use of the Certificate Verification Engine, a sub-component of SSL Manager. The Certificate Verification Engine ensures that only those connections that comply with your organization’s IT security requirements for certificate verification are allowed.
This guide includes:
Overview SSL Manager Certificate Verification Engine (CVE) CVE Best Practices Certificate Verification Failures and Remediation Options Troubleshooting Certificate Verification Failures Frequently Asked Questions Known Issues Additional Resources Glossary For general information on SSL Manager, see Working with Encrypted Data in the Websense Technical Library. (Several articles follow in a sequence. Use the rightpointing navigation button at the top and bottom of each article.)
Overview The SSL and TLS protocols used by HTTPS Web traffic are the standard for establishing secure connections and transmission of secure data on the Internet.
Although SSL and TLS are considered strong security protocols, if mismanaged HTTPS can be compromised in ways that leave it vulnerable to many of the same security problems found in standard HTTP traffic.
An essential feature of SSL/TLS is the connection handshake, including digital certificate exchange between the client and server that verifies that each agent is who it says it is.
Verification checks are performed and configurable in Content Gateway.
In the following list, quoted field names (“ ”) are those used by Internet Explorer Version 8 (IE8).
Common verification checks include:
1. The certificate must be issued by a trusted Certificate Authority (CA).
2. The fully qualified hostname in the HTTPS request URL and the certificate owner (“Issued to” name) must match. Exceptions are explained in the SSL Manager Certificate Verification Engine (CVE) section.
3. The certificate must be current (within its “Valid from...to...” date range).
4. The certificate must not be on a revocation list (either CRL or OCSP).
5. Checks 1-4 are recursively applied to every certificate in the trust chain.
Below is a certificate as it appears in IE8. The numbers in red correspond to checks in the preceding list.
SSL Manager Certificate Verification Engine (CVE) Prior to establishing an HTTPS connection, it is the job of the Certificate Verification Engine to verify that the Certificate Authority (CA) certificates offered by destination HTTPS servers are legitimate and meet the configured set of verification conditions.
To turn on the CVE:
Enable the certificate verification engine
Deny Certificates where the common name does not match the URL Allow wildcard certificates No expired or not yet valid certificates (default option) Verify entire certificate chain (default option) Check certification revocation by CRL (default option) Check certification revocation by OCSP Preferred method for revocation check Block certificates with no CRL or with unknown OCSP state CVE options For Help system documentation on the CVE, see Validating certificates.
Configuration options are set in Content Gateway Manager on the Configure SSL Validation General page. The illustration below shows the page with the default settings.
If you plan to use the CVE, be sure to acquaint yourself with these topics:
Troubleshooting certificate verification failures Certificate Verification Failures and Remediation Options SSL transaction logging CVE configurations This section describes a phased approach to deploying certificate verification.
It is recommended that in addition to the production environment, Content Gateway be installed in a controlled test environment in which phased configuration can be tested and monitored, and problems remediated and tested again. When the test environment is functioning as desired, the configuration can be rolled out to the production environment with continued monitoring and testing.
The starting point assumes that Content Gateway is stable and SSL Manager is off.
The phases of SSL Manager and CVE deployment include:
1. Enabling SSL Manager.
2. Enabling the CVE with only the certificate revocation (CRL) check enabled.
3. Adding CVE checks to the configuration as needed.
Enabling SSL Manager
Before enabling SSL Manager, verify that Content Gateway:
Is installed in a supported environment that includes a network test segment Is passing explicit or transparent traffic as expected Is integrated with Web Security, including Scanning options set and policy applied as expected Is handling HTTP traffic as expected
The performance monitoring graphs show a predictable ramp up in traffic with no unexplained traffic spikes All mission critical Web sites and Web-hosted applications have been validated to work properly through the proxy
When the above conditions are met:
Enable SSL Manager.
Confirm that HTTPS traffic is passing through Content Gateway.
Verify that clients are not receiving certificate errors in the browser. If they are, see these instructions on installing the Internal Root CA.
Test by accessing several sites that are commonly used in your organization.
Check certification revocation by OCSP Preferred method for revocation check In version 7.6.0 and 7.6.2, this option has no effect. The CRL check is always performed first.
Block certificates with no CRL or with unknown OCSP state Because many certificates have missing or blank CRL or OCSP information, this option can produce a large number of “Unknown revocation state” errors. For this reason, use of this option is not recommended in versions up to and including 7.6.2. The CVE logic for this option will change in a future release.
CVE with Verification Bypass enabled An additional option includes use of SSL Manager Verification Bypass (Configure SSL Validation Verification Bypass). This option has the effect that when certificate verification fails, a dialog box warns the user of the failure and gives the user the option to go to the site anyway.
Certificate verification is performed and incidents are logged, but users aren’t blocked. Users are allowed to make the decision about whether a site is safe.
Administrators can see how the CVE affects the network before allowing it to impact users or require an administrator response.
By monitoring the Incident List, administrators can put remediation actions in place before enforcing certificate verification and impacting users.
Verification bypass provides a response to users that is much like the warning dialogs used by common browsers.
Security is compromised because the choice to drop the connection is given to the user.
In cases where the HTTPS request is for an object embedded in the page or in another page, and its certificate verification fails, the bypass page may not render.
Best practices summary After Content Gateway is deployed, quickly identify and resolve Web applications that have problems transiting the proxy.
Work in a test environment.
Turn on SSL Manager, monitor, test, and stabilize.
Turn on CVE checks one at a time, test, monitor, remediate, and retest.
Roll out the configuration to a subset of users.
To reduce administrative overhead, do not enable checks that aren’t required by your IT security policy.
The primary remediation options include:
1. Correcting the certificate problem. See Troubleshooting certificate verification failures and the SSL Manager trusted certificate store.
2. Bypassing certificate verification via SSL Decryption bypass, the SSL Manager Incident List, or another bypass option. See Bypass options.
3. Enabling or disabling CVE options.
4. Using the CVE Verification Bypass option to give users the ability to proceed to a site after certificate verification fails.
Websense Content Gateway 11SSL Manager Certificate Verification Engine v7.6.2
SSL Manager trusted certificate store When version 7.6 of Content Gateway is installed, all Certificate Authorities trusted by Internet Explorer 7 are included in the SSL Manager trusted certificate store.
The list is accessed in Content Gateway Manager on the Configure SSL Certificates Certificate Authorities tab.
Destination servers (the target of outbound traffic from SSL Manager) can trust Web servers with these certificates. Note that lowercase “i” appears before the name of some certificates validated via CRL (certificate revocation lists) or OCSP (online certification status protocol). These certificates provide URLs where their revocation status can be verified. See Keeping revocation information up to date.
You can manually add, delete, or change the status of a certificate.
SSL Manager checks the revocation status of a certificate for both inbound and outbound traffic.
Help system information on SSL Manager certificate management starts here.
SSL transaction logging SSL Transaction logging is described here.
Bypass options Bypass is the term used to describe several methods of specifically allowing a request to circumvent (bypass) all or select features of Content Gateway. Full proxy bypass is often called tunneling.
In this discussion take note of when bypass affects:
Only certificate verification Certificate verification and SSL decryption Complete bypass of Content Gateway
These are the primary bypass methods:
TRITON – Web Security SSL decryption bypass (category and destination hostname/IP address) The Content Gateway SSL Manager Incident List Content Gateway ARM bypass (transparent proxy) Explicit proxy PAC file bypass Transparent proxy routing device ACL bypass Allow users to continue after failure (Configure SSL Validation Verification Bypass) TRITON – Web Security SSL Decryption Category bypass and Hostname/IP address bypass In TRITON – Web Security you can specify categories, or hostnames, or IP addresses of Web sites for which SSL decryption and inspection are not performed.
See SSL Decryption Bypass.
If Content Gateway is set up as an explicit proxy, certificate verification is bypassed, leaving certificate verification subject to the settings of the client browser. This is the best practice for bypass in explicit proxy deployments.