CRL Checking in WebMarshal


This article applies to:

  • WebMarshal 6.12 and above
  • Certificate Revocation checking

Question:

  • How do I enable checking of Certificate Revocation in WebMarshal?
  • What options are available to tune the revocation check feature?

Procedure:

From version 6.12, WebMarshal can check the revocation status of HTTPS certificates.

From version 7.0, WebMarshal checks revocation status using OCSP stapled responses if available, as well as HTTP based CRL distribution points (CDPs) .

  • Only the site certificate is checked. Other certificates in the chain (intermediate or root certificates) are not checked for revocation in current versions of WebMarshal.

To enable checking, use the WebMarshal Console:

  1. Enable Certificate revocation checking: See the HTTPS Content Inspection tab of General Settings.
  2. Add rules that check for the specific revocation status. See the following options for the HTTPS Rule Condition Where the Server Certificate is Invalid:
    • Certificate is revoked
    • Certificate revocation check failed

In new installations of WebMarshal 6.12 and above, this feature is enabled by default when you enable HTTPS inspection. A default HTTPS rule is present to block sites that use revoked certificates (only for sites that are inspected).

Caution:

CRL checking is CPU intensive. If many CRL checks are requested at the same time, system performance can be affected. In the worst case, the delay for CRL checking could cause SSL negotiation to time out, and access to the sites might be denied. To check CRLS when inspecting all HTTPS sites, you may need to improve system specification. Also, disable the "full" service logging level for WebMarshal services unless you are actively researching an issue, because full logging is also processing intensive.

Implementation Notes:

CRL management is performed by the Node Controller service. The Proxy service requests information from the Controller.

OCSP Stapling
WebMarshal uses the OCSP stapled revocation information from the TLS handshake, if it is present, valid, and trusted.
CRL Distribution Points
If OCSP information is not included in the handshake or is not valid, WebMarshal uses HTTP based CRL distribution points (CDPs) found in the certificate. 
CRL Access
If the CRL cannot be accessed at the CDP, revocation status is set to "unknown".
CRL Check Timeout
By default, the CRL check times out after 5 seconds. If the CRL has not been retrieved in this time the revocation status is set to "unknown". 
CRL Caching
WebMarshal keeps the retrieved CRLs on disk in the subfolder temp\CRLCache of the WebMarshal installation folder on each processing node. (Allow up to 500MB of space for this folder).
 
By default the cached files are retained for 27 hours. When the proxy requests CRL information, the information is returned from the cache if possible. The maximum cache age can be configured.
 
Caching can be completely disabled (not recommended, due to the effect on performance and user browsing experience).

Configuration Settings:

The following settings in the WebMarshal node controller XML configuration file can be used to tune the CRL checking and caching features.

  • AdvancedSettings - CRLAgingPeriodHours: Sets the maximum time, in hours, that CRLs will be retained in the local cache.
    • Default: 27 hours. Maximum: 1000. If set to zero, CRL caching is disabled.
       
  • AdvancedSettings - CRLDownloadTimeoutSec: Sets the maximum time, in seconds, that the Controller waits for a CRL download before returning revocation status of "unknown".
    • Default: 5 seconds. Acceptable values: 1-60. 

To set these values:

Edit the WebMarshal Controller Configuration file on each processing server (WMController.config.xml). Add one or both of the following settings

<WebMarshal> 
    <Controller>
       <Config>
<AdvancedSettings CRLAgingPeriodHours="{aging period in hours}"    CRLDownloadTimeoutSec="{timeout in seconds}"     [other attributes...] />         </Config>
   </Controller>
</WebMarshal>

Notes:

  • For general information about editing XML settings files, see article Q12705.
  • The file WMController.config.xml is located on the processing server. If you have more than one processing server, you must make the changes on each server.
  • To apply the change, restart the WebMarshal Controller service.
  • When entering the values, do not include the braces {}, but do include the quote marks.
  • Back up configuration before making changes.
  • The file WMController.config.xml normally contains additional settings. The AdvancedSettings node can have multiple attributes. The node should only occur once.
  • To adjust these settings, only add (or remove) the specific attributes as described above.

See also the User Guide and Help for the specific Console windows.


Last Modified 11/6/2017.
https://support.trustwave.com/kb/KnowledgebaseArticle20605.aspx