Untrusted Server Certs & OCSP Revocation Check - Practical Settings?

See topic. Our SSL Inspection policy is currently configured to block untrusted server certificates and to perform OCSP Revocation Checks. We are seeing quite a few blocks in our logs for large companies such as FedEx, PayPal, etc. w/ the tag " Access Denied Due To Bad Server Certificate".

Are our settings too aggressive to be practical? Do most customers disable one or both of the two settings to avoid playing whack-a-mole with whitelisting every day?

I’ve run into this issue too. I suspect my issue is because a certain application is reaching out to a server that has a certificate from a Private CA. I’m aware of another UTM/Web Proxy platform that I’ve worked with, where you could add certificate authorities to the proxy-side Client Trust store.

Wonder if this is configurable in ZIA?

We only ran down one of these because it was a well-known security vendor’s URL. As it turns out, the vendor was self-signing the cert. They submitted an internal ticket to correct the issue. We’ve left the setting in place and it has been a non-issue for us. Typically, a service provider won’t self-sign anything critical, so the impact will almost always be negligible.