Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Certificate Verification

  1. Last updated
  2. Save as PDF

To configure Certificate Verification rule sets, navigate to Policy > Rule Sets > HTTPS Scanning.

This nested rule set handles the CERTVERIFY call in SSL-secured communication. It lets whitelisted certificates skip verification and blocks others according to particular criteria.

Nested library rule set — Certificate Verification
Criteria — Command.Name equals “CERTVERIFY*
Cycles — Requests (and IM)

The rule criteria specifies that the rule set applies if a request is received on the appliance that contains theCERTVERIFY command, which is sent to request the verification of a certificate.

The following rule sets are nested in this rule set:

• Verify Signature Algorithms
• Verify Common Name (Proxy Setup)

The rule set contains the following rules:

Skip Verification for Certificates Found in Certificate Whitelist

SSL.Server.Certificate.HostAndCertificate is in list Certificate Whitelist –> Stop Rule Set
The rule lets whitelisted certificates skip verification.

Block Self Signed Certificates

SSL.Server.Certificate.SelfSigned equals true –> Block <Certificate incident>

The rule blocks requests with self-signed certificates.
The action settings specify a message to the requesting user.

Block Expired Server (7 Day Tolerance) and Expired CA Certificates

SSL.Server.Certificate.DaysExpired greater than 7 OR SSL.Server.CertificateChain.ContainsExpiredCA<Default> equals
true –> Block <Certificate incident>

The rule blocks requests with expired server and CA certificates.
The action settings specify a message to the requesting user.

Block Too Long Certificate Chains

SSL.Server.CertificateChain.PathLengthExceeded<Default> equals true –> Block <Certificate incident>

The rule blocks a certificate chain if it exceeds the path length.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.

Block Revoked Certificates

SSL.Server.CertificateChain.ContainsRevoked<Default> equals true –> Block <Certificate incident>

The rule blocks a certificate chain if one of the included certificates has been revoked.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.

Paranoid Certificate Chain Verification

SSL.Server.CertificateChain.AllRevocationStatusesKnown<Default> equals false OR
SSL.Server.CertificateChain.IsComplete<Default> equals false –> Block <Certificate incident>

The rule blocks a certificate chain if the revocation status of at least one certificate is unknown or if the certificate chain is incomplete.    
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.

Block Unknown Certificate Authorities

SSL.Server.CertificateChain.FoundKnownCA<Default> equals false –> Block <Certificate incident>

The rule blocks a certificate chain if none of the certificate authorities (CAs) issuing the included certificates is
a known CA.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.

Block Untrusted Certificate Authorities

SSL.Server.FirstKnownCAIsTrusted<Default> equals false –> Block <Certificate incident>

The rule blocks a certificate chain if the first known CA that was found is not trusted.
The settings in the property specify a list for the module that checks the certificate authorities.
The action settings specify a message to the requesting user.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
  2. Tags
    This page has no tags.