SSL Decryption

Default: 1

When enabled (1), Content Gateway accepts SSL connections and performs URL filtering before establishing a connection with the origin server.

See proxy.config.ssl_decryption.use_ decryption to enable SSL decryption.

Default: 0

When enabled (1), Content Gateway accepts and decrypts SSL traffic. See Working With Encrypted Data.

Default: 443

The HTTPS ports. Content Gateway allows SSL decryption and policy lookup only to the specified ports.

Default: 1

When enabled (1), allows for tunneling of TLSV1.3-only connections (SSL connections that offer TLSv1.3, and no other protocols, as their “client hello”).

Default: NULL Do not change.

Holds the encrypted administrator ID.

Default: 0

Enables (1) or disables the tunneling of unrecognized protocols using SSL ports.

Default: 10

Specifies the time in seconds that Content Gateway waits for the “client hello” response before tunneling the request as an unknown protocol.

Default: 0

Enables (1) or disables SSL Decryption for Port Mirroring.

Note that this feature is only available when SSL decryption is enabled and when Content Gateway is installed on an appliance.

This variable should be edited only by using the appliance CLI.

Default: NULL

The appliance interface that will be used to mirror decrypted SSL traffic.

This variable should be edited only by using the appliance CLI.

Default: X-Proxy-HTTPS:1

The custom header name and value that Port Mirroring inserts into each HTTP request header sent to the monitor network interface.

This variable should be edited only by using the appliance CLI.

Default: 0

When enabled (1), Content Gateway accepts TLSv1 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.)

Default: 0

When enabled (1), Content Gateway accepts TLSv1.1 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.)

Default: 1

When enabled (1), Content Gateway accepts TLSv1.2 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.)

Default: 1

When enabled (1), Content Gateway accepts TLSv1.3 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.)

Default: 0

When enabled (1), Content Gateway accepts TLSv1 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.)

Default: 0

When enabled (1), Content Gateway accepts TLSv1.1 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.)

Default: 1

When enabled (1), Content Gateway accepts TLSv1.2 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.)

Default: 1

When enabled (1), Content Gateway accepts TLSv1.3 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.)

Default: 1

When enabled (1), Content Gateway will add padding to ensure a “client hello” does not hang the connection

Default: 0

When enabled (1), Content Gateway will consider customer cipher suites configured in proxy.config.ssl.server.cipher_suite (for TLS1.2 and below) and proxy.config.ssl.server.TLSv1_3.cipher_suites (for TLS1.3).

Default: DEFAULT

Specifies the client-to-proxy cipher setting. Values are:

DEFAULT

HIGH

MEDIUM:HIGH

In the user interface, when MEDIUM is selected, this value (MEDIUM:HIGH) is actually set in the config file.

These above options must be in uppercase.

In addition to the predefined options, you can apply custom cipher suites using the format recommended by OpenSSL. To enable this, set proxy.config.ssl.server.custom_ciphersuites_enabled to 1; otherwise, the configuration will be considered invalid.

See SSL configuration settings for inbound traffic.

Default:

:!ADH:!RC4:!3DES:!EXP:!DES:!IDEA- CBC-SHA:@STRENGTH

List of ciphers not allowed for use in client-to-proxy (inbound) communication.

The cipher list is determined by combining the corresponding cipherlist_ option with this list.

Note these entries are case-sensitive and require the leading colon (:).

Default:

TLS_AES_256_GCM_SHA384:

TLS_CHACHA20_POLY1305_SHA256:

TLS_AES_128_GCM_SHA256:

TLS_AES_128_CCM_8_SHA256:

TLS_AES_128_CCM_SHA256

List of cipher suites to be used for TLS1.3 when proxy.config.ssl.server.custom_ciphersuites_enabled is set to 1. Use the OpenSSL format for specifying TLS1.3 cipher suites.

Default: 0

When enabled (1), Content Gateway will consider customer cipher suites configured in proxy.config.ssl.client.cipher_suite (for TLS1.2 and below) and proxy.config.ssl.client.TLSv1_3.cipher_suites (for TLS1.3).

Default: DEFAULT

Specifies the client-to-proxy cipher setting. Values are:

DEFAULT

HIGH

MEDIUM:HIGH

In the user interface, when MEDIUM is selected, this value (MEDIUM:HIGH) is actually set in the config file.

These above options must be in uppercase.

In addition to the predefined options, you can apply custom cipher suites using the format recommended by OpenSSL. To enable this, set proxy.config.ssl.client.custom_ciphersuites_enabled to 1; otherwise, the configuration will be considered invalid.

See SSL configuration settings for inbound traffic.

Default:

:!ADH:!RC4:!3DES:!EXP:!DES:!IDEA- CBC-SHA:@STRENGTH

List of ciphers not allowed for use in proxy-to-server (outbound) communication.

The cipher list is determined by combining the corresponding cipherlist_ option with this list.

Note these entries are case-sensitive and require the leading colon (:).

Default:

TLS_AES_256_GCM_SHA384:

TLS_CHACHA20_POLY1305_SHA256:

TLS_AES_128_GCM_SHA256:

TLS_AES_128_CCM_8_SHA256:

TLS_AES_128_CCM_SHA256

List of cipher suites to be used for TLS1.3 when proxy.config.ssl.client.custom_ciphersuites_enabled is set to 1. Use the OpenSSL format for specifying TLS1.3 cipher suites.

Default: 0

Whether client certificates are not needed, optional, or required. certification level should be:

0 = no client certificates

1 = client certificates optional

2 = client certificates required

Default: 1

Enables (1) or disables (0) a feature that forces the proxy to add an outbound SNI (server name indication) when requesting a server certificate be added to the Incident List.

Default: 0

Enables (0) or disables (1) a DNS lookup for the CONNECT hostname when X- Server-IP is present in the header

Default: server.crt.pem

The server certificate filename.

Default: Domainkey.pem

The private key for the server certificate.

Default: /config

The private key path for the server certificate.

Default: NULL

Te name of the file containing the list of CAs that Content Gateway will accept from a client.

When the connection is from the client to Content Gateway and the value of proxy. config.ssl.client.certification_level is 1 or 2, Content Gateway sends the CA list to client.

Default: NULL

The path to the CA list files. See the preceding entry.

Default: 1

Enables (1) or disables (0) automatic updates of the Certificate Authority tree. See Automatic certificate updates.

Default: 0

Enables (1) or disables the CVE check: “Deny certificates where the common name does not match the URL”

The setting applies only when the CVE is enabled.

Default: 1

Enables (1) or disables the automatic adding of new certificates to the certificate database.

Default: 0

Enables (1) or disables the CVE check: “Allow wildcard certificates”

The setting applies only when the CVE is enabled.

Default: 0

Enables (1) or disables the CVE check: “No expired or not yet valid certificates”

The setting applies only when the CVE is enabled.

Default: 1

Enables (1) or disables the CVE check: “Deny self-signed certificates”

This setting applies only when the CVE is enabled

Default: 1

Enables (1) or disables a feature that invalidates SHA-1 intermediate certificates for HTTPS traffic. A block page is served if a SHA-1 certificate is encountered.

Default: 1

Enables (1) or disables the CVE check: “Verify entire certificate chain”

The setting applies only when the CVE is enabled.

Default: 0

Enables (1) or disables the CVE check: “Check certificate revocation by CRL”

The setting applies only when the CVE is enabled.

Default: 0

Enables (1) or disables the CVE check: “Check certificate revocation by OCSP”

The setting applies only when the CVE is enabled.

Default: 0

Enables (1) or disables the CVE check: “Block certificates with Unknown OCSP state”

The setting applies only when the CVE is enabled.

Default: 0

Enables (1) denial of certificates that use an MD5 signiture.

Default: 1

The preferred method for the certificate revocation check.

1 = CRL

2 = OCSP

Default: 0

Enables (1) or disables the CVE check: “Block certificates with no CRL URI and with no OCSP URI”

Default: 1

Enables (1) the certificate check failure bypass option that allows users to proceed to a site after the certificate check has failed.

Default: 1

Enables (1) the verification timeout cache.

Default: 6

The time, in seconds, that an entry in verification bypass cache times out and is purged.