Select this option to use the certificate
revocation list (CRL) method to verify the revocation status of
certificates.
If you also enable Online Certificate Status
Protocol (OCSP), the firewall first tries OCSP; if the OCSP server
is unavailable, the firewall then tries the CRL method.
If you enabled the CRL method for verifying
certificate revocation status, specify the interval in seconds (1
to 60; default is 5) after which the firewall stops waiting for
a response from the CRL service.
Enable: OCSP
Select this option to use OCSP to verify
the revocation status of certificates.
Receive Timeout: OCSP
If you enabled the OCSP method for verifying
certificate revocation status, specify the interval in seconds (1
to 60; default is 5) after which the firewall stops waiting for
a response from the OCSP responder.
Block Session With Unknown Certificate Status
Select this option to block SSL/TLS sessions
when the OCSP or CRL service returns a certificate revocation status
of unknown. Otherwise, the firewall proceeds with the session.
Block Session On Certificate Status Check Timeout
Select this option to block SSL/TLS sessions
after the firewall registers a CRL or OCSP request timeout. Otherwise,
the firewall proceeds with the session.
Certificate Status Timeout
Specify the interval in seconds (1 to 60;
default is 5) after which the firewall stops waiting for a response
from any certificate status service and applies any session blocking
logic you optionally define. The
Certificate Status Timeout
relates
to the OCSP/CRL
Receive Timeout
as follows:
If you enable both OCSP and CRL—The firewall registers a request
timeout after the lesser of two intervals passes: the
Certificate
Status Timeout
value or the aggregate of the two
Receive
Timeout
values.
If you enable only OCSP—The firewall registers a request timeout
after the lesser of two intervals passes: the
Certificate
Status Timeout
value or the OCSP
Receive
Timeout
value.
If you enable only CRL—The firewall registers a request timeout
after the lesser of two intervals passes: the