How To block users from accessing HTTPS websites with expired certificate or Untrusted CA cert

03/26/2020 17 14744

DESCRIPTION:

SSL Control provides visibility into the handshake of Secure Socket Layer (SSL) sessions, and a method for configuring policies to control the establishment of SSL sessions. One of the main features of SSL control is to provide a way to specify which HTTPS certificates to block.
This article describes how to Detect connections to HTTPS websites which have either expired certificates or their CA are untrsuted using SSL Control from the LAN zone.

RESOLUTION:

Step 1: Login to the Sonicwall Management interface
Step 2: Navigate to the Network | Zones page and click on edit on the LAN zone

Step 3: Check the SSL Control check-box to enable it in the LAN Zone. This will affect all LAN users since SSL Control is enabled for LAN zone

Step 4. Navigate to the Firewall Settings| SSL Control page
Step 5. Check the Enable SSL Control check-box.
Step 6. Check the Detect Expired certificates check-box
Step 7. Click the Detect Self-signed certificate check-box
Step 8. Click the Detect Certificate signed by an untrusted CA
 Although only Certificate signed by an untrusted CA and Self Signed Certificate examples are presented SSLV2 and other option can also be used.

Make sure "Block the connection and log the event" is selected

NOTE: Specific Websites which the users know are good can be added under exclusion

Step 9. Click on Accept to save

How to Test:

Step 1. Logout of the Sonicwall Management interface.
Step 2. Open an internet browser.
Try to access any SSL website which has either certificate signed by and Untrusted CA or has a Self signed certificate.
Under the Sonicwall | Log the following message will be shown


For Untrusted CA