Forum Discussion

GBurch's avatar
GBurch
Icon for Altostratus rankAltostratus
Mar 25, 2021
Solved

Bypass certificate check

Is there any way that checking the certificate details could be bypassed in specific cases (e.g. a particular client/IP Address, particular URLs/domains) when using SWG as a Forward Proxy?

 

We are trying to set up a Red Hat Satellite server to download repositories from Red Hat and make them available internally. The documentation states that "Use of an SSL interception proxy interferes with this communication. These hosts must be whitelisted on the proxy." Apparently, the reason an SSL Interception proxy interferes with it is that the server certificates aren't signed with publicly trusted certs. The application trusts these certificates, but obviously the proxy doesn't.

 

We do have an SSL Intercept bypass list in place, but as I understand it, the proxy will still check that the certificate is valid (as this can be checked without decoding the traffic). Is there any way that we can disable or bypass this check for this traffic?

  • Have you checked if the SSL server profile options are set to ignore under "Server Authentication settings"?

     

    https://support.f5.com/csp/article/K14806

2 Replies

  • Have you checked if the SSL server profile options are set to ignore under "Server Authentication settings"?

     

    https://support.f5.com/csp/article/K14806

    • GBurch's avatar
      GBurch
      Icon for Altostratus rankAltostratus

      OK, so "Untrusted Certificate Response Control" is set to Ignore already, so I guess there isn't a problem here.

       

      I was sure we were filtering out invalid certificates at that level. I guess I should have checked first.

       

      Thanks for your help