The following ssl-gw anomoly was discovered today on Gauntlet Firwalls. Most browsers contain an expired certificate for the Verisign/RSA Secure Server CA. The certificate expired 31 December 1999. Newer browsers, IE 5.0, and above, and Netscape Communicator/Navigator 4.6, and above, will have a second valid certificate that expires on 07 January 2010. When the Gauntlet Firewall is configured to operate in transparent mode, users with an expired certificate will be unable to establish a connection to a secure server although a second, valid certificate is present. Once the expired certificate is deleted from the list, the user is able to establish a secure connection using the Gauntlet ssl-gw in transparent mode. It is unknown whether the same problem exists when the user has configured the Gauntlet firewall as a proxy for SSL connections. At the site where this anomoly was discovered there is a Squid proxy server. Using the Squid proxy server, Netscape Communicator/Navigator users are able to establish a secure connection even with the expired certificate in the list; however, IE users were unable to establish any secure connections until the expired certifcate was deleted. Merton Campbell Crockett General Dynamics Electronic Systems - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
