All Barracuda Web Filters, All Firmware Versions.
If you are experiencing issues with client machines displaying errors when trying to browse to HTTPS websites then it is possible that the client browsers are unable to download the Certificate Revocation List (crl) from the certificate authority. This will cause an error to appear which the user can most likely click through, but will of course cause some irritation.
1. Check to see if there is a block appearing in the Web Log, if so then you should be able to create a rule or exception to allow it through.
2. If nothing shows in the Web Log for this then you should get a packet capture with the user testing access to an effected site.
3. Look at the pcap in Wireshark and look for a request to the CA requesting a ‘.crl file’
4. Follow the TCP Stream and you may see something like the following:
GET http://crl.quovadisglobal.com/qvrca2.crl HTTP/1.1
HTTP/1.0 407 Proxy Authentication Required
Date: Thu, 18 Dec 2014 09:50:56 GMT
If that’s the case then you may be tempted to create a Proxy Exemption for ‘.crl’ files which may not prove effective. You’ll notice that the User-Agent is different to your typical browser type string, so the authentication is actually being passed off to a different process. Exempting this User-Agent in Advanced -> Proxy with a wildcard (Microsoft-CryptoAPI.*) will allow requests through and should resolve the issue.
Link To This Page: