This feature aims at providing an option for you to configure the product in a way that it generates server certificates during TLS Handshake to allow the browsers to show native behaviour.
Secure Web Gateway will validate the Server certificate during Certificate verification process if HTTP Scanning and Certificate verification rules are enabled in the policy. Using this feature, you will now have an option of “Preserve/Mimic Server Certificate” behaviour instead of typical block option on certificate errors.
Property evaluation in rules:
There are 2 types of properties in SWG related to Certificate handling.
1. Those that do not require any configuration or setting (few examples listed below, but not limited to these)
- Expired Certificates
- Self-Signed Certificates
- Common name mismatch
- Key type / size strength
These properties of the server certificate will be preserved/mimicked without these properties being evaluated in the policy. That means, there is no need for these properties to be evaluated for SWG to preserve this behavior.
2. Properties which take a configuration/ setting (few examples listed below, but not limited to these)
- Revocation status
For these to be mimicked, at least one of the "property which takes configuration" must be evaluated in the policy. For example, for "revocation status" to be mimicked, in the policy during "Certificate Verification", at least one property which takes configuration must be evaluated. For example, a sample rule like below must be evaluated.
"SSL.Server.CertificateChain.ContainsRevoked<Default> equals "true"or "false" → Continue (action)"
This one property evaluation is enough, for others to work as well, like the Unknown CA etc.
To Enable this feature follow these steps:
1) Enable the Event “Enable Native Browser CA”,
2) This event should be configured in the Certificate Verification ruleset in the policy (“CERTVERIFY” command name criteria). Customers can customize their certificate verification rules as per their requirement, either by disabling them or by changing the “block“ action.
3) The " Enable Native Browser CA " event has a configuration/setting . Customer should provide the "Untrusted CA" with which to sign to generate "unknown/untrusted CA" certificate.
4) For mimicking few behaviors like revoked, unknown CA, untrusted CA, there should be rule configured in the policy to evaluate at least one of these properties.