Reply
Highlighted
Moderator

Re: OCSP on Firefox




Nobody should use the factory default SSL certificate for authenticating employees in the first place. That's a recipe for getting your network hacked.

---
Jon Green, ACMX, CISSP, CISM, and a bunch of other acronyms
Aruba Security CTO
Highlighted
Contributor I

Network Solutions

Anyone got that works with network solution certificate?

i added acls according to the kb provide by Aruba, but no lucky getting it to work.
nslookup http://crl.netsolssl.com/NetworkSolutions_CA.crl returns
Address: 205.234.175.175
Aliases: crl.netsolssl.com

Here's my configure.

netdestinaton netsolssl
host 205.234.175.175

ip access-list session netsolssl
user alias netsolssl http permit

user-role logon
session-acl netsolssl
session-acl logon-control
session-acl captiveportal
session-acl deny-all-log
session-acl Deny-Internal

Something wrong on my solution?
Highlighted
Contributor I

Re: OCSP on Firefox

skywalker, I did an nslookup on ocsp.netsolssl.com and the IP seems to be 91.199.212.154. The address itself is an alias of ocsp.trust-secure.com You could probably contact the provider just to make sure that's the proper IP. Hope that helps. Another thing that I believe is wrong is that OCSP does not use http, I don't think it uses any specified ports.
Highlighted
Contributor I

Re: OCSP on Firefox




Thank you Twotech!
Where you got the url ocsp.trust-secure.com? When i open my network solution certificate, the crl is refer to crl.netsolssl.com and crl2.netsolssl.com. Both nslookup returns the same IP address. I have also called network solution. Unfortunately they don't have much spport with ocsp. :confused:

Highlighted
Occasional Contributor II

in addition

all,

I added all the IPs listed above and in addition enabled OCSP Responder.
1. Confinguration->Certificates->Revocation Checkpoing
2. Enable OCSP Responder (radio button) The OCSP Certificate pull down stays empty.
3. Apply
4. Save Config

Hope it works for all

Gonzalo
Highlighted
Guru Elite

Re: OCSP on Firefox


all,

I added all the IPs listed above and in addition enabled OCSP Responder.
1. Confinguration->Certificates->Revocation Checkpoing
2. Enable OCSP Responder (radio button) The OCSP Certificate pull down stays empty.
3. Apply
4. Save Config

Hope it works for all

Gonzalo




Gonzalo,

That config knob is not related to the firefox issue, unfortunately.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: OCSP on Firefox

Has anyone had any luck with this?
Recap: Firefox uses ocsp to validate the certificate with the issuer. In my case I'm using Entrust so it tried to go to ocsp.entrust.net.

I cannot change guest's Firefox settings so disabling ocsp is not an option.

It looks to me that we need to be able to force the captive portal to allow this traffic outbound. I've tried adding to the logon-control ACL but to no avail. Any time Firefox tried to hit an HTTP address, the captive portal does an HTTP 302 moved temporarily redirect to the address designated in the certificate.

Any assistance is greatly appreciated!
Highlighted
Guru Elite

Re: OCSP on Firefox


Has anyone had any luck with this?
Recap: Firefox uses ocsp to validate the certificate with the issuer. In my case I'm using Entrust so it tried to go to ocsp.entrust.net.

I cannot change guest's Firefox settings so disabling ocsp is not an option.

It looks to me that we need to be able to force the captive portal to allow this traffic outbound. I've tried adding to the logon-control ACL but to no avail. Any time Firefox tried to hit an HTTP address, the captive portal does an HTTP 302 moved temporarily redirect to the address designated in the certificate.

Any assistance is greatly appreciated!




Did you upload a custom certificate to your Captive Portal or are you using the built-in certificate? If you are using a custom certificate (Entrust), we need to find out what the OCSP url is, because it will not match what has been configured in this thread.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: OCSP on Firefox




I'm using a custom certificate issued by Entrust that I uploaded and applied. The certificate is valid and Chrome and IE work just fine. Also Firefox works just fine as long as I have certificate validation disabled. Because it's an Entrust certificate, it is trying to reach ocsp.entrust.net (presently 216.191.247.203) on HTTP however that is being redirected.

Highlighted
Guru Elite

Re: OCSP on Firefox




Can you publish the "show datapath session table " while the user is trying to open the browser?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: