Decryption Settings: Certificate Revocation Checking

Select
Session
, and in Decryption Settings, select
Certificate Revocation Checking
to set the parameters described in the following table.
Session Features: Certificate Revocation Checking Settings
Description
Enable: CRL
Select this option to use the certificate revocation list (CRL) method to verify the revocation status of certificates.
If you also enable Online Certificate Status Protocol (OCSP), the firewall first tries OCSP; if the OCSP server is unavailable, the firewall then tries the CRL method.
For more information on decryption certificates, see Keys and Certificates for Decryption.
Receive Timeout: CRL
If you enabled the CRL method for verifying certificate revocation status, specify the interval in seconds (1 to 60; default is 5) after which the firewall stops waiting for a response from the CRL service.
Enable: OCSP
Select this option to use OCSP to verify the revocation status of certificates.
Receive Timeout: OCSP
If you enabled the OCSP method for verifying certificate revocation status, specify the interval in seconds (1 to 60; default is 5) after which the firewall stops waiting for a response from the OCSP responder.
Block Session With Unknown Certificate Status
Select this option to block SSL/TLS sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the firewall proceeds with the session.
Block Session On Certificate Status Check Timeout
Select this option to block SSL/TLS sessions after the firewall registers a CRL or OCSP request timeout. Otherwise, the firewall proceeds with the session.
Certificate Status Timeout
Specify the interval in seconds (1 to 60; default is 5) after which the firewall stops waiting for a response from any certificate status service and applies any session blocking logic you optionally define. The
Certificate Status Timeout
relates to the OCSP/CRL
Receive Timeout
as follows:
  • If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: the
    Certificate Status Timeout
    value or the aggregate of the two
    Receive Timeout
    values.
  • If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: the
    Certificate Status Timeout
    value or the OCSP
    Receive Timeout
    value.
  • If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: the
    Certificate Status Timeout
    value or the CRL
    Receive Timeout
    value.

Related Documentation