On March 13, 2015, CERT published a blog article at http://www.cert.org/blogs/certcc/post.cfm?EntryID=221 asking for researchers to investigate the state of SSL inspection features in the marketplace. The Barracuda Web Filter provides SSL inspection functionality and is included in the call for research.
CERT's blog entry calls out 7 common mistakes to check for. The list below details our response to each item as it applies to the Barracuda Web Filter.
1) Incomplete validation of upstream certificate validity
Prior to version 8.1.0.005, the Barracuda Web Filter was not checking upstream certificate validity. This issue has been assigned CVE-2015-0961 and is resolved in the release of firmware version 8.1.0.005.
2) Not conveying validation of upstream certificate to the client
The Barracuda Web Filter does not convey validation failures directly to the client. Rather, when an upstream certificate fails validation, the Barracuda Web Filter will return a block page and the client request will not be sent to the server.
3) Overloading of certificate Canonical Name (CN) field
The Barracuda Web Filter does not modify certificate CNs.
4) Use of the application layer to convey certificate validity
The Barracuda Web Filer uses the application layer to convey certificate verification failures by blocking client requests when upstream certificate validation fails. Non-human clients will not receive certificate validation errors but, rather, will simply fail to communicate with their intended destination.
5) Use of a User-Agent HTTP header to determine when to validate a certificate
The Barracuda Web Filter does not use a User-Agent HTTP header in the certificate validation process.
6) Communication before warning
When upstream certificate validation fails, the Barracuda Web Filter blocks the request and does not send the rest of the client’s request to the server.
7) Same root CA certificate
Versions of the Barracuda Web Filter prior to 8.1.0.005 shipped one of three different default certificates that were shared across multiple machine for use in SSL Inspection.
This issue has been assigned CVE-2015-0962 and is resolved in firmware version 8.1.0.005. Beginning in this version, a unique default certificate is generated for each appliance.
Customers who have enabled SSL Inspection and have since disabled it on a Barracuda Web Filter, will also be affected. We recommend that customers upgrade their firmware to version 8.1.0.005 or later. Customers who have deployed the default certificate supplied with the appliance will need to deploy a new client certificate to their clients and remove the previously deployed certificate. Instructions for deploying and removing client certificates are available at http://techlib.barra.../UpdateSSLCerts.
For customers concerned about whether their browsers trust one of the shared default certificated, Barracuda has also provided https://certcheck.barracudalabs.com. Visiting the site will show users if their browser trusts any of the shared default certificates and includes instructions for removing the certificates from the browser trust store if necessary.