We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How can support troubleshoot certificate revocation errors?

  • Type: Knowledgebase
  • Date changed: 4 years ago
Solution #00006995 


Scope:

All Barracuda Web Filters, All Firmware Versions.

 

Answer:

If you are experiencing issues with client machines displaying errors when trying to browse to HTTPS websites then it is possible that the client browsers are unable to download the Certificate Revocation List (crl) from the certificate authority. This will cause an error to appear which the user can most likely click through, but will of course cause some irritation.

 

1.       Check to see if there is a block appearing in the Web Log, if so then you should be able to create a rule or exception to allow it through.

2.       If nothing shows in the Web Log for this then you should get a packet capture with the user testing access to an effected site.

3.       Look at the pcap in Wireshark and look for a request to the CA requesting a ‘.crl file’

4.       Follow the TCP Stream and you may see something like the following:

GET http://crl.quovadisglobal.com/qvrca2.crl HTTP/1.1

Accept: /

User-Agent: Microsoft-CryptoAPI/6.1

Proxy-Connection: Keep-Alive

Host: crl.quovadisglobal.com

 

HTTP/1.0 407 Proxy Authentication Required

Server: http_scan/4.0.2.6.19

Date: Thu, 18 Dec 2014 09:50:56 GMT

Content-Type: text/html

 

If that’s the case then you may be tempted to create a Proxy Exemption for ‘.crl’ files which may not prove effective. You’ll notice that the User-Agent is different to your typical browser type string, so the authentication is actually being passed off to a different process.  Exempting this User-Agent in Advanced -> Proxy with a wildcard (Microsoft-CryptoAPI.*) will allow requests through and should resolve the issue.


Link To This Page:

https://campus.barracuda.com/solution/5016000000149vBAAQ