The A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.

From A10 Networks ADC ALG Security Technical Implementation Guide

Part of SRG-NET-000164-ALG-000100

Associated with: CCI-000185

SV-82459r1_rule The A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.

Vulnerability discussion

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate.Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses.The A10 Networks ADC can be configured to use Open Certificate Status Protocol (OCSP) and/or certificate revocation lists (CRLs) to verify the revocation status of certificates. OCSP is preferred since it reduces the overhead associated with CRLs.

Check content

If the ALG does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. Verify the ALG validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation. If the ALG does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.

Fix text

If intermediary services for TLS are provided, configure the device to validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. The following command configures an authentication-server profile for an Online Certificate Status Protocol (OCSP) server: authentication-server ocsp [profile-name]

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer