(Applies to TLSv1.2 and earlier) If you choose to allow
sessions with untrusted issuers (not recommended) and only
Block
sessions with expired certificates
, there is a scenario
in which a session with a trusted, expired issuer may be blocked
inadvertently. When the firewall’s certificate store contains a
valid, self-signed Trusted CA and the server sends an expired CA
in the certificate chain, the firewall does not check its certificate
store. Instead, the firewall blocks the session based on the expired
CA when it should find the trusted, valid alternative trust anchor
and allow the session based on that trusted self-signed certificate.