The A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-237038	AADC-AG-000042	SV-237038r639561_rule		Medium

Description
A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. The A10 Networks ADC can be configured to use Open Certificate Status Protocol (OCSP) and/or certificate revocation lists (CRLs) to verify the revocation status of certificates. OCSP is preferred since it reduces the overhead associated with CRLs.

Description

A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path validation is necessary for a relying party to make an informed decision regarding acceptance of an end entity certificate. Certification path validation includes checks such as certificate issuer trust, time validity and revocation status for each certificate in the certification path. Revocation status information for CA and subject certificates in a certification path is commonly provided via certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responses. The A10 Networks ADC can be configured to use Open Certificate Status Protocol (OCSP) and/or certificate revocation lists (CRLs) to verify the revocation status of certificates. OCSP is preferred since it reduces the overhead associated with CRLs.

STIG	Date
A10 Networks ADC ALG Security Technical Implementation Guide	2021-03-25

Details

Check Text ( C-40257r639559_chk )
If the ALG does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable. Verify the ALG validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation. If the ALG does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.

Check Text ( C-40257r639559_chk )

If the ALG does not provide intermediary services for TLS, or application protocols that use TLS (e.g., DNSSEC or HTTPS), this is not applicable.

Verify the ALG validates certificates used for TLS functions by performing RFC 5280-compliant certification path validation.

If the ALG does not validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation, this is a finding.

Fix Text (F-40220r639560_fix)
If intermediary services for TLS are provided, configure the device to validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. The following command configures an authentication-server profile for an Online Certificate Status Protocol (OCSP) server: authentication-server ocsp [profile-name]