Forefront TMG 2010 Outbound HTTPS Inspection vs certificate revocation checking connection failures

After the Comodo buzz [1][2] some wondered how TMG’s Outbound HTTPS Inspection treats certificate revocation checking connection failures.

Well, TMG uses the underlying Windows Crypto API and basically does almost what IE8 or IE9 do on Win7 if for example is installed on Windows Server 2008 R2.
Meaning, can use both GET and POST for OCSP requests(falling from GET to POST if GET fails), but does not use OCSP nonces; also does CRL retrieving, can fallback from OCSP to CRL download if OCSP fails.
But, unlike IE does not support by default the usage of OCSP stapling due to the SSL 2.0 compatible Client Hello(and will not support it even if you put it in FIPS mode).

In case of a failure in downloading a CRL or obtaining an OCSP response(connection failure), the certificates are not treated as invalid, meaning the connections are not dropped.

So on the bright side,  meaningless of the browsers behind TMG certificate revocation checking capabilities(either they enable by default certificate revocation checking or not, support just OCSP or just CRL), TMG lifts this certificate revocation check from them if configured to do so.
On the bad side, browsers behind TMG which may be configured to treat the certificates as invalid in case of an OCSP server connection failure, like Firefox, loose this ability.


[1] The Recent RA Compromise

[2] Microsoft Security Advisory (2524375)

Comments are closed