OCSP Status_request Is Not Transmitted by the Firewall When Decryption Is Performed

OCSP Status_request Is Not Transmitted by the Firewall When Decryption Is Performed

2042
Created On 12/27/22 12:22 PM - Last Modified 02/14/24 01:06 AM


Symptom


OCSP "status_request" is not transmitted by the firewall when decryption is performed.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Decryption Policy
  • OCSP (Online Certificate Status Protocol) "status_request"

Cause


  • Some clients use OCSP Stapling to improve the efficiency of a TLS handshake when OCSP is used.
  • A receive stage packet capture on the firewall contains the "status_request" extension from the client request:

OCSP status_request in receive packet capture

  • A transmit stage packet capture on the firewall does not contain a "status_request",

No status_request in the transmit pcap

 
 

Resolution


  1. OCSP Stapling is not currently supported by Palo Alto Decryption.
  2. The behavior of "status_request" being stripped from the request is expected.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saF5CAI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail