DotW: CRL downloads
Resolution
You've set up a safe and secure environment blocking all unwanted URL categories. But when you go to an SSL encrypted site, and the browser tries to download the CRL for the SSL certificate, the download is then blocked because the CRL link falls into a blocked category.
A certificate revocation list (CRL) is a list of certificates that have been revoked. Entities presenting those (revoked) certificates should no longer be trusted.
As RC-BHF already pointed out in his question, a way to bypass this is to add all the CRLs into the Allow List.
This is a fine solution if you need to add only a few. You will find the Allow List under the Objects tab > Security Profiles > URL Filtering > URL Filtering Profile.
Using the Allow List will indeed do the trick but doesn't scale very well if you need to add many.
The limitation was discussed on the forum here: Custom App for CRL downloads
An alternative way was proposed using a Custom App. Here, user dennisss used http-req-headers. In doing so, he could match on something like .*\.crl HTTP.*User\-Agent.* and look into the http-rsp-headers for the transaction as well.
Check out the XML code below:
<application version="5.0.0">
<entry name="CRL">
<signature>
<entry name="GET CRL File">
<and-condition>
<entry name="And Condition 1">
<or-condition>
<entry name="Or Condition 1">
<operator>
<pattern-match>
<qualifier>
<entry name="http-method">
<value>GET</value>
</entry>
</qualifier>
<pattern>.*\.crl HTTP.*User\-Agent.*</pattern>
<context>http-req-headers</context>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
<entry name="And Condition 2">
<or-condition>
<entry name="Or Condition 1">
<operator>
<pattern-match>
<pattern>.*((application/pkix-crl)|(application/x-pkcs7-crl)|(text/plain)).*</pattern>
<context>http-rsp-headers</context>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<scope>protocol-data-unit</scope>
<order-free>no</order-free>
</entry>
</signature>
<subcategory>infrastructure</subcategory>
<category>networking</category>
<technology>client-server</technology>
<description>matches CRL download</description>
<risk>2</risk>
<evasive-behavior>no</evasive-behavior>
<consume-big-bandwidth>no</consume-big-bandwidth>
<used-by-malware>no</used-by-malware>
<able-to-transfer-file>no</able-to-transfer-file>
<has-known-vulnerability>yes</has-known-vulnerability>
<tunnel-other-application>no</tunnel-other-application>
<tunnel-applications>no</tunnel-applications>
<prone-to-misuse>no</prone-to-misuse>
<pervasive-use>no</pervasive-use>
<file-type-ident>no</file-type-ident>
<virus-ident>no</virus-ident>
<spyware-ident>no</spyware-ident>
<data-ident>no</data-ident>
<default>
<port>
<member>tcp/80</member>
</port>
</default>
</entry>
</application>
I've also added the xml code as an attachement for download.
Also, you might find the following articles useful as they touch on some of the topics discussed here:
Creating Custom Application Signatures
I hope this discussion was helpful—as always, we welcome comments and questions in the comments section below.
Thanks for reading.
Kim Wens