FAQ

Why doesn't my SGOS 5.x ProxySG appliance rule for client.certificate.requested=yes policy work all the time?

FAQ ID:    FAQ1528
Version:    2.0
Status:    Published
Published date:    08/25/2011
Updated:    03/14/2014
 

Answer

As described in FAQ893, SGOS v5.5.3.1 includes a feature "client.certificate.requested" policy for SSL proxy. However, SGOS software has limitations for this policy, as described in SGOS v5.5.x release notes:

-------------
❐ The SSL renegotiating feature causes a situation where when an IIS Server or a HTTP Server asks for the certificate, the following policy rule on the SSL Proxy will not work: client.certificate.requested=yes. The reason for this limitation is that the SSL Proxy does not run any policy rules during SSL renegotiations. The current workaround is to create a policy for these websites where SSL tunneling is set up instead of an intercept option.
For example:
 
<ssl-intercept>
url=http://www.example.com ssl.forward_proxy(no)
-----------
 
For SGOS V6, SGOS V6.4.1.1 and above includes an enhancement for SSL Client Certificate Renegotiation. This enhancement negates the above limitation.

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question