Guest

Preview Tool

Cisco Bug: CSCvu51603 - WSA certificate chain validation does not work for cross-signed certs on 10.1.x

Last Modified

Oct 09, 2020

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

10.1.1-235 10.1.3-054 10.1.4-007 10.1.4-017 10.1.5-004

Description (partial)

Symptom:
With trusted root certificate bundle version 1.6 -- websites are being flagged as having an expired root certificate, but are trusted and work when bypassed from the WSA. When 'Expired Certificate' option is configured to decrypt or drop under Invalid Certificate Handling for HTTPS Proxy, users will see an impact as websites will show as untrusted.

With trusted root certificate bundle version 1.7 -- websites are being flagged as unrecognized root cert, but are trusted and work when bypassed from the WSA. When 'Unrecognized Root Authority / Issuer' option is configured to decrypt or drop under Invalid Certificate Handling for HTTPS Proxy, users will see an impact as websites will show as untrusted.

Conditions:
Websites that are using a certificate that is signed by an intermediate certificate which is cross-signed, that was issued by an expired root CA. The most recent example is for AddTrust root certificate authority which expired on May 30, 2020.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.