SSL Decryption

Configuration Variable Data Type Description
proxy.config.ssl.enabled INT

Default: 1

When enabled (1), Content Gateway accepts SSL connections and performs URL filtering before establishing a connection with the origin server.

See proxy.config.ssl_decryption.use_ decryption to enable SSL decryption.

proxy.config.ssl_decryption. use_decryption INT

Default: 0

When enabled (1), Content Gateway accepts and decrypts SSL traffic. See Working With Encrypted Data.

proxy.config.ssl_decryption_ ports INT

Default: 443

The HTTPS ports. Content Gateway allows SSL decryption and policy lookup only to the specified ports.

proxy.config.ssl_decryption. tunnel_TLSv13 INT

Default: 1

When enabled (1), allows for tunneling of TLSV1.3-only connections (SSL connections that offer TLSv1.3, and no other protocols, as their “client hello”).

proxy.config.administrator_id STRING

Default: NULL Do not change.

Holds the encrypted administrator ID.

proxy.config.ssl_decryption. tunnel_unknown_protocols INT

Default: 0

Enables (1) or disables the tunneling of unrecognized protocols using SSL ports.

proxy.config.ssl_decryption. tunnel_unknown_protocols_ timeout INT

Default: 10

Specifies the time in seconds that Content Gateway waits for the “client hello” response before tunneling the request as an unknown protocol.

proxy.config.ssl_decryption. mirror_enabled INT

Default: 0

Enables (1) or disables SSL Decryption for Port Mirroring.

Note that this feature is only available when SSL decryption is enabled and when Content Gateway is installed on an appliance.

This variable should be edited only by using the appliance CLI.

proxy.config. ssl_decryption. mirror_interface STRING

Default: NULL

The appliance interface that will be used to mirror decrypted SSL traffic.

This variable should be edited only by using the appliance CLI.

proxy.config. ssl_decryption. custom_request_header STRING

Default: X-Proxy-HTTPS:1

The custom header name and value that Port Mirroring inserts into each HTTP request header sent to the monitor network interface.

This variable should be edited only by using the appliance CLI.

proxy.config.ssl.server.TLSv1 INT

Default: 0

When enabled (1), Content Gateway accepts TLSv1 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.)

proxy.config.ssl.server.TLSv11 INT

Default: 0

When enabled (1), Content Gateway accepts TLSv1.1 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.)

proxy.config.ssl.server.TLSv12 INT

Default: 1

When enabled (1), Content Gateway accepts TLSv1.2 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.)

proxy.config.ssl.server.TLSv13 INT

Default: 1

When enabled (1), Content Gateway accepts TLSv1.3 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.)

proxy.config.ssl.client.TLSv1 INT

Default: 0

When enabled (1), Content Gateway accepts TLSv1 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.)

proxy.config.ssl.client.TLSv11 INT

Default: 0

When enabled (1), Content Gateway accepts TLSv1.1 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.)

proxy.config.ssl.client.TLSv12 INT

Default: 1

When enabled (1), Content Gateway accepts TLSv1.2 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.)

proxy.config.ssl.client.TLSv13 INT

Default: 1

When enabled (1), Content Gateway accepts TLSv1.3 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.)

proxy.config.ssl.client.TLS_ padding INT

Default: 1

When enabled (1), Content Gateway will add padding to ensure a “client hello” does not hang the connection

proxy.config.ssl.server.custom_

ciphersuites_enabled

INT

Default: 0

When enabled (1), Content Gateway will consider customer cipher suites configured in proxy.config.ssl.server.cipher_suite (for TLS1.2 and below) and proxy.config.ssl.server.TLSv1_3.cipher_suites (for TLS1.3).

proxy.config.ssl.server.cipher_suite STRING

Default: DEFAULT

Specifies the client-to-proxy cipher setting. Values are:

DEFAULT

HIGH

MEDIUM:HIGH

In the user interface, when MEDIUM is selected, this value (MEDIUM:HIGH) is actually set in the config file.

These above options must be in uppercase.

In addition to the predefined options, you can apply custom cipher suites using the format recommended by OpenSSL. To enable this, set proxy.config.ssl.server.custom_ciphersuites_enabled to 1; otherwise, the configuration will be considered invalid.

See SSL configuration settings for inbound traffic.

proxy.config.ssl.server.cipherlist_suffix STRING

Default:

:!ADH:!RC4:!3DES:!EXP:!DES:!IDEA- CBC-SHA:@STRENGTH

List of ciphers not allowed for use in client-to-proxy (inbound) communication.

The cipher list is determined by combining the corresponding cipherlist_ option with this list.

Note these entries are case-sensitive and require the leading colon (:).

proxy.config.ssl.server.

TLSv1_3.cipher_suites

STRING

Default:

TLS_AES_256_GCM_SHA384:

TLS_CHACHA20_POLY1305_SHA256:

TLS_AES_128_GCM_SHA256:

TLS_AES_128_CCM_8_SHA256:

TLS_AES_128_CCM_SHA256

List of cipher suites to be used for TLS1.3 when proxy.config.ssl.server.custom_ciphersuites_enabled is set to 1. Use the OpenSSL format for specifying TLS1.3 cipher suites.

proxy.config.ssl.client.custom_

ciphersuites_enabled

INT

Default: 0

When enabled (1), Content Gateway will consider customer cipher suites configured in proxy.config.ssl.client.cipher_suite (for TLS1.2 and below) and proxy.config.ssl.client.TLSv1_3.cipher_suites (for TLS1.3).

proxy.config.ssl.client.cipher_suite STRING

Default: DEFAULT

Specifies the client-to-proxy cipher setting. Values are:

DEFAULT

HIGH

MEDIUM:HIGH

In the user interface, when MEDIUM is selected, this value (MEDIUM:HIGH) is actually set in the config file.

These above options must be in uppercase.

In addition to the predefined options, you can apply custom cipher suites using the format recommended by OpenSSL. To enable this, set proxy.config.ssl.client.custom_ciphersuites_enabled to 1; otherwise, the configuration will be considered invalid.

See SSL configuration settings for inbound traffic.

proxy.config.ssl.client.cipherlist_suffix STRING

Default:

:!ADH:!RC4:!3DES:!EXP:!DES:!IDEA- CBC-SHA:@STRENGTH

List of ciphers not allowed for use in proxy-to-server (outbound) communication.

The cipher list is determined by combining the corresponding cipherlist_ option with this list.

Note these entries are case-sensitive and require the leading colon (:).

proxy.config.ssl.client.

TLSv1_3.cipher_suites

STRING

Default:

TLS_AES_256_GCM_SHA384:

TLS_CHACHA20_POLY1305_SHA256:

TLS_AES_128_GCM_SHA256:

TLS_AES_128_CCM_8_SHA256:

TLS_AES_128_CCM_SHA256

List of cipher suites to be used for TLS1.3 when proxy.config.ssl.client.custom_ciphersuites_enabled is set to 1. Use the OpenSSL format for specifying TLS1.3 cipher suites.

proxy.config.ssl.client. certification_level INT

Default: 0

Whether client certificates are not needed, optional, or required. certification level should be:

0 = no client certificates

1 = client certificates optional

2 = client certificates required

proxy.config.ssl.client.set_sni IINT

Default: 1

Enables (1) or disables (0) a feature that forces the proxy to add an outbound SNI (server name indication) when requesting a server certificate be added to the Incident List.

proxy.config.ssl_skip_dns_on_ sni INT

Default: 0

Enables (0) or disables (1) a DNS lookup for the CONNECT hostname when X- Server-IP is present in the header

proxy.config.ssl.server.cert. filename STRING

Default: server.crt.pem

The server certificate filename.

proxy.config.ssl.server.private_ key.filename STRING

Default: Domainkey.pem

The private key for the server certificate.

proxy.config.ssl.server.private_ key.path STRING

Default: /config

The private key path for the server certificate.

proxy.config.ssl.CA.cert. filename STRING

Default: NULL

Te name of the file containing the list of CAs that Content Gateway will accept from a client.

When the connection is from the client to Content Gateway and the value of proxy. config.ssl.client.certification_level is 1 or 2, Content Gateway sends the CA list to client.

proxy.config.ssl.CA.cert.path STRING

Default: NULL

The path to the CA list files. See the preceding entry.

proxy.config.ssl.catree_update INT

Default: 1

Enables (1) or disables (0) automatic updates of the Certificate Authority tree. See Automatic certificate updates.

proxy.config.ssl.client.cert. policy INT For SSL certificate incidents, specifies whether to tunnel an incident (0), or block the request and create an entry in the incident list (1).
proxy.config.ssl.client.verify. server INT Enables (1) or disables the Certificate Verification Engine (CVE). See Validating certificates.
proxy.config.ssl.cert.verify. denycnmismatch INT

Default: 0

Enables (1) or disables the CVE check: “Deny certificates where the common name does not match the URL”

The setting applies only when the CVE is enabled.

proxy.config.ssl.cert.verify.add_ cert_to_database INT

Default: 1

Enables (1) or disables the automatic adding of new certificates to the certificate database.

proxy.config.ssl.cert.verify. allowcnwild INT

Default: 0

Enables (1) or disables the CVE check: “Allow wildcard certificates”

The setting applies only when the CVE is enabled.

proxy.config.ssl.cert.verify. denyexpired INT

Default: 0

Enables (1) or disables the CVE check: “No expired or not yet valid certificates”

The setting applies only when the CVE is enabled.

proxy.config.ssl.cert.verify. denyselfsigned INT

Default: 1

Enables (1) or disables the CVE check: “Deny self-signed certificates”

This setting applies only when the CVE is enabled

proxy.config.ssl.cert.verify. denysha1cert INT

Default: 1

Enables (1) or disables a feature that invalidates SHA-1 intermediate certificates for HTTPS traffic. A block page is served if a SHA-1 certificate is encountered.

proxy.config.ssl.cert.verify. certchain INT

Default: 1

Enables (1) or disables the CVE check: “Verify entire certificate chain”

The setting applies only when the CVE is enabled.

proxy.config.ssl.cert.verify. checkcrl INT

Default: 0

Enables (1) or disables the CVE check: “Check certificate revocation by CRL”

The setting applies only when the CVE is enabled.

proxy.config.ssl.cert.verify. checkocsp INT

Default: 0

Enables (1) or disables the CVE check: “Check certificate revocation by OCSP”

The setting applies only when the CVE is enabled.

proxy.config.ssl.cert.verify. blockunknownocsp INT

Default: 0

Enables (1) or disables the CVE check: “Block certificates with Unknown OCSP state”

The setting applies only when the CVE is enabled.

proxy.config.ssl.cert.verify. denymd5cert INT

Default: 0

Enables (1) denial of certificates that use an MD5 signiture.

proxy.config.ssl.cert.verify. revprefer INT

Default: 1

The preferred method for the certificate revocation check.

1 = CRL

2 = OCSP

proxy.config.ssl.cert.verify. blocknouri INT

Default: 0

Enables (1) or disables the CVE check: “Block certificates with no CRL URI and with no OCSP URI”

proxy.config.ssl.cert.verify. bypassfail INT

Default: 1

Enables (1) the certificate check failure bypass option that allows users to proceed to a site after the certificate check has failed.

proxy.config.ssl.cert.verify. bypasscache INT

Default: 1

Enables (1) the verification timeout cache.

proxy.config.ssl.cert.verify. bypasscachetimeout INT

Default: 6

The time, in seconds, that an entry in verification bypass cache times out and is purged.

proxy.config.ssl_decryption_ bypass.tunnel_non-ssl_traffic INT

Default: 0

Enables (1) or disables (0) tunneling of non-ssl traffic.

This variable must be added manually.