Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Given the ease of availability of the Untangle NG Firewall, I used their SSL Inspector as an example. By default the Untangle SSL Inspector did not inspect traffic to https://badssl.com. As a result, I modified the default configuration of the SSL Inspector to inspect all HTTPS traffic. The other product tested is the Entensys UserGate UTM product, which also provides SSL inspection capabilities. Note that by default UserGate rule "Decrypt for all unknown users" does not select the "Block sites with invalid certificates" option, meaning that the client is allowed to connect to sites with invalid certificates.

...

Firefox 54.0.1 (Windows)
Chrome 60 (Windows)

UserGate Web Filter
(Default config)

UserGate Web Filter
(Block sites with invalid certificate)

Certificate




expiredSEC_ERROR_EXPIRED_CERTIFICATENET::ERR_CERT_DATE_INVALIDResetAllowed"Incorrect SSL certificate"
wrong.hostSSL_ERROR_BAD_CERT_DOMAINNET::ERR_CERT_COMMON_NAME_INVALIDBlockedBlockedBlocked
self-signedSEC_ERROR_UNKNOWN_ISSUER

NET::ERR_CERT_AUTHORITY_INVALID

ResetAllowed"Incorrect SSL certificate"
untrusted-rootSEC_ERROR_UNKNOWN_ISSUERNET::ERR_CERT_AUTHORITY_INVALIDResetAllowed"Incorrect SSL certificate"
revokedSEC_ERROR_REVOKED_CERTIFICATENET::ERR_CERT_REVOKEDAllowedAllowedAllowed
pinning-testMOZILLA_PKIX_ERROR_KEY_PINNING_FAILURENET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAINAllowedAllowedAllowed
no-common-nameAllowedAllowedAllowedAllowedAllowed
no-subjectAllowedAllowedResetResetReset
incomplete-chainAllowedAllowedResetAllowed"Incorrect SSL certificate"
sha1-intermediateSEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLEDAllowedAllowedAllowedAllowed
sha256AllowedAllowedAllowedAllowedAllowed
sha384AllowedAllowedAllowedAllowedAllowed
sha512AllowedAllowedAllowedAllowedAllowed

1000-sans

AllowedAllowedAllowedAllowedAllowed
10000-sansSSL_ERROR_RX_MALFORMED_HANDSHAKEERR_SSL_PROTOCOL_ERRORBlockedBlockedBlocked

ecc256

AllowedAllowedAllowedAllowedAllowed
ecc384AllowedAllowedAllowedAllowedAllowed
rsa2048AllowedAllowedAllowedAllowedAllowed
rsa8192AllowedAllowedAllowedAllowedAllowed
Cipher Suite




cbcAllowedAllowedAllowedAllowedAllowed
rc4-md5SSL_ERROR_NO_CYPHER_OVERLAPERR_SSL_VERSION_OR_CIPHER_MISMATCHResetBlockedBlocked
rc4SSL_ERROR_NO_CYPHER_OVERLAPERR_SSL_VERSION_OR_CIPHER_MISMATCHResetBlockedBlocked
3desAllowedAllowedAllowedAllowedAllowed
nullSSL_ERROR_NO_CYPHER_OVERLAPERR_SSL_VERSION_OR_CIPHER_MISMATCHResetBlockedBlocked
mozilla-oldAllowedAllowedAllowedAllowed
mozilla-intermediateAllowedAllowedAllowedAllowed
mozilla-modernAllowedAllowedAllowedAllowed
Key exchange




dh480SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEYERR_SSL_VERSION_OR_CIPHER_MISMATCHResetAllowedAllowed
dh512SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEYERR_SSL_VERSION_OR_CIPHER_MISMATCHResetAllowedAllowed
dh1024AllowedERR_SSL_VERSION_OR_CIPHER_MISMATCHAllowedAllowedAllowed
dh2048AllowedERR_SSL_VERSION_OR_CIPHER_MISMATCHAllowedAllowedAllowed
dh-small-subgroupAllowedERR_SSL_VERSION_OR_CIPHER_MISMATCHAllowedAllowedAllowed
dh-compositeAllowedERR_SSL_VERSION_OR_CIPHER_MISMATCHResetAllowedAllowed
static-rsaAllowedAllowedAllowedAllowedAllowed
Certificate Transparency




invalid-expected-sctAllowedNET::ERR_CERTIFICATE_TRANSPARENCY_REQUIREDAllowedAllowedAllowed
Defunct




sha1-2016SEC_ERROR_EXPIRED_CERTIFICATE

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

ResetAllowed"Incorrect SSL certificate"
sha1-2017SEC_ERROR_EXPIRED_CERTIFICATENET::ERR_CERT_WEAK_SIGNATURE_ALGORITHMResetAllowed"Incorrect SSL certificate"

...