Solution: upgrade to SGOS 18.104.22.168 or later, apply the new policy as described in the Content Policy Language Reference
(this can be dowloaded from bto.bluecoat.com
Tests whether or not the server has requested SSL client certificate authentication.
When the SSL proxy establishes a connection with the server and the server requests an SSL client certificate, this condition is set to yes; else, it is set to no. This condition is NULL for transactions that do not involve an SSL connection to the client.
When the ProxySG evaluates this condition, it uses a list of requesting servers (a Client Certificate Requested list) to determine if a client certificate was requested during both an initial handshake and renegotiation. As long as this condition exists in policy, the ProxySG can automatically detect servers that request a client certificate during renegotiation and maintain the Client Certificate Requested list.Syntax
client.certificate.requested = yes|noLayer and Transaction Notes
- Use in <SSL-Intercept> layer.
- Applies to: SSL Intercept transactions
This condition is used to avoid intercepting SSL proxy traffic when a server requests a client certificate to authenticate the client. The reason is that client certificates are not supported in this configuration. When intercepting such traffic, the appliance generates an exception page. The policy below enables SSL proxy interception only when a client certificate is not requested by the server.<SSL-Intercept>
; If the server requests a client certificate, tunnel the SSL traffic via SSL proxy
; Otherwise, intercept SSL traffic using HTTPS forward proxy.
ssl.forward_proxy(https); Exclude the bottom rule if you have a rule to bypass SSL interception in VPM.