Operational Defect Database
BugZero found this defect 954 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000SNINSA4
Content inspection incorrectly validates certificates that use imported general use CA certificates
Last update date:
10/8/2021
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
All
Description:
Issue
When validating certificates, proxies with content inspection enabled might return invalid resigned certificates to users when an expired root CA or intermediate CA certificates are present as "general use CA" certificates.
Workaround/Solution
Proxies use a dedicated set of trusted CAs to validate certificates when content inspection is enabled. Proxies do not require the general use CAs to function. Review the list of certificates on your Firebox and delete any expired "CA cert" certificates. Do not remove certificates with O=WatchGuard or O=WatchGuard_Technologies, which are part of the default set of certificates and required for Firebox operations. For more information about Firebox certificates, see About Certificates in Fireware Help.
