browse
Overview
When the Umbrella Secure Web Gateway (SWG) web proxy is configured to perform HTTPS Inspection, a user may receive a 517 Upstream Certificate Revoked error page. This error indicates that the requested website sent a digital certificate in the TLS negotiation which has a status of "revoked" according to the issuer of that certificate, or a similar authority. A revoked certificate is no longer valid.
Certificate revocation checking methods and SWG
Umbrella Secure Web Gateway can perform certificate revocation checks using the following Internet-standard mechanisms:
URLs found in each certificate specify OCSP and/or CRL servers that clients can query to obtain the certificate's revocation status. A certificate may list URLs for one or both (or less commonly, none) of these methods.
SWG will make requests to each HTTP URL in a certificate, until either all requests receive responses indicating that the certificate is not revoked, or a request returns a status of revoked.
All certificates in the chain--from the server's certificate to the root certificate--will be checked in this manner. Note that responses are typically cached and used to respond to future checks. Caching time is set by the response.
Different behavior when browsing directly
Web clients can use a variety of revocation checking mechanisms, depending on the client. For example, Google's Chrome browser does not use either the OCSP or the standard CRL methods, by default. Instead, Chrome uses a proprietary version of a CRL called CRLSet, which Secure Web Gateway does not use. As a result, Chrome may not produce the same result as SWG when checking a certificate's revocation status.
Note however that, as the CRLSet documentation states, "in some cases, the underlying system certificate library always performs these checks no matter what Chromium does." Thus, depending on your local configuration, an OCSP and/or CRL check may be performed by either your browser, or the operating system’s cryptographic service libraries, such as SChannel, Secure Transport, or NSS.
Note also that OCSP and CRL checks are not guaranteed to produce the same result.
Consult your browser or operating system vendor's documentation to determine which certificate revocation checks are performed when browsing.
Remediation
Use of valid certificates is the responsibility of the web server administrator. Remediation of this error must be performed on the server by the server administrator. Cisco Umbrella cannot assist in this process.
Work-arounds
Cisco Umbrella strongly advises against accessing a website that uses a revoked certificate. Work-arounds should only be employed when the user fully understands why a site uses a revoked certificate, and fully accepts any risks.
To avoid the error, the site may be exempted from HTTPS Inspection by creating a Selective Decryption List that includes the site's domain name. The Selective Decryption List would be applied to the Web policy which permits access to the site. Alternatively, the site may be added to the External Domains list to send traffic directly to the site, bypassing SWG.
Additional Information
Customers wishing to confirm whether a server's certificate is revoked may use third-party tools designed to check revocation status. Most notably, the Qualys SSL Labs' SSL Server Test tool will perform both OCSP and CRL checks, in addition to providing other certificate validity information. The tool is available online at:
We recommend using this tool to check the site which produces a 517 Upstream Certificate Revoked error, prior to opening a support case with Cisco Umbrella.
See also: https://support.umbrella.com/hc/en-us/articles/4406133198100-Certificate-and-TLS-Protocol-Errors