Check: AADC-AG-000042
A10 Networks ADC ALG STIG:
AADC-AG-000042
(in versions v2 r1 through v1 r1)
Title
The A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. (Cat II impact)
Discussion
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. The A10 Networks ADC can be configured to use Open Certificate Status Protocol (OCSP) and/or certificate revocation lists (CRLs) to verify the revocation status of certificates. OCSP is preferred since it reduces the overhead associated with CRLs.
Check Content
If the ALG does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. Verify the ALG validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation. If the ALG does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.
Fix Text
If intermediary services for TLS are provided, configure the device to validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. The following command configures an authentication-server profile for an Online Certificate Status Protocol (OCSP) server: authentication-server ocsp [profile-name]
Additional Identifiers
Rule ID: SV-237038r639561_rule
Vulnerability ID: V-237038
Group Title: SRG-NET-000164-ALG-000100
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |