SSL Decryption
Configuration Variable | Data Type | Description |
---|---|---|
proxy.config.ssl.enabled | INT |
Default: 1 When enabled (1), Content Gateway accepts SSL connections and performs URL filtering before establishing a connection with the origin server. See proxy.config.ssl_decryption.use_ decryption to enable SSL decryption. |
proxy.config.ssl_decryption. use_decryption | INT |
Default: 0 When enabled (1), Content Gateway accepts and decrypts SSL traffic. See Working With Encrypted Data. |
proxy.config.ssl_decryption_ ports | INT |
Default: 443 The HTTPS ports. Content Gateway allows SSL decryption and policy lookup only to the specified ports. |
proxy.config.ssl_decryption. tunnel_TLSv13 | INT |
Default: 1 When enabled (1), allows for tunneling of TLSV1.3-only connections (SSL connections that offer TLSv1.3, and no other protocols, as their “client hello”). |
proxy.config.administrator_id | STRING |
Default: NULL Do not change. Holds the encrypted administrator ID. |
proxy.config.ssl_decryption. tunnel_unknown_protocols | INT |
Default: 0 Enables (1) or disables the tunneling of unrecognized protocols using SSL ports. |
proxy.config.ssl_decryption. tunnel_unknown_protocols_ timeout | INT |
Default: 10 Specifies the time in seconds that Content Gateway waits for the “client hello” response before tunneling the request as an unknown protocol. |
proxy.config.ssl_decryption. mirror_enabled | INT |
Default: 0 Enables (1) or disables SSL Decryption for Port Mirroring. Note that this feature is only available when SSL decryption is enabled and when Content Gateway is installed on an appliance. This variable should be edited only by using the appliance CLI. |
proxy.config. ssl_decryption. mirror_interface | STRING |
Default: NULL The appliance interface that will be used to mirror decrypted SSL traffic. This variable should be edited only by using the appliance CLI. |
proxy.config. ssl_decryption. custom_request_header | STRING |
Default: X-Proxy-HTTPS:1 The custom header name and value that Port Mirroring inserts into each HTTP request header sent to the monitor network interface. This variable should be edited only by using the appliance CLI. |
proxy.config.ssl.server.TLSv1 | INT |
Default: 0 When enabled (1), Content Gateway accepts TLSv1 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.) |
proxy.config.ssl.server.TLSv11 | INT |
Default: 0 When enabled (1), Content Gateway accepts TLSv1.1 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.) |
proxy.config.ssl.server.TLSv12 | INT |
Default: 1 When enabled (1), Content Gateway accepts TLSv1.2 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.) |
proxy.config.ssl.server.TLSv13 | INT |
Default: 1 When enabled (1), Content Gateway accepts TLSv1.3 connections from clients. (In this case, “server” refers to Content Gateway’s role as server to the client.) |
proxy.config.ssl.client.TLSv1 | INT |
Default: 0 When enabled (1), Content Gateway accepts TLSv1 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.) |
proxy.config.ssl.client.TLSv11 | INT |
Default: 0 When enabled (1), Content Gateway accepts TLSv1.1 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.) |
proxy.config.ssl.client.TLSv12 | INT |
Default: 1 When enabled (1), Content Gateway accepts TLSv1.2 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.) |
proxy.config.ssl.client.TLSv13 | INT |
Default: 1 When enabled (1), Content Gateway accepts TLSv1.3 connections from origin servers. (In this case, “client” refers to Content Gateway’s role as client to the origin server.) |
proxy.config.ssl.client.TLS_ padding | INT |
Default: 1 When enabled (1), Content Gateway will add padding to ensure a “client hello” does not hang the connection |
proxy.config.ssl.server.custom_ ciphersuites_enabled |
INT |
Default: 0 When enabled (1), Content Gateway will consider customer cipher suites configured in proxy.config.ssl.server.cipher_suite (for TLS1.2 and below) and proxy.config.ssl.server.TLSv1_3.cipher_suites (for TLS1.3). |
proxy.config.ssl.server.cipher_suite | STRING |
Default: DEFAULT Specifies the client-to-proxy cipher setting. Values are: DEFAULT HIGH MEDIUM:HIGH In the user interface, when MEDIUM is selected, this value (MEDIUM:HIGH) is actually set in the config file. These above options must be in uppercase. In addition to the predefined options, you can apply custom cipher suites using the format recommended by OpenSSL. To enable this, set proxy.config.ssl.server.custom_ciphersuites_enabled to 1; otherwise, the configuration will be considered invalid. See SSL configuration settings for inbound traffic. |
proxy.config.ssl.server.cipherlist_suffix | STRING |
Default: :!ADH:!RC4:!3DES:!EXP:!DES:!IDEA- CBC-SHA:@STRENGTH List of ciphers not allowed for use in client-to-proxy (inbound) communication. The cipher list is determined by combining the corresponding cipherlist_ option with this list. Note these entries are case-sensitive and require the leading colon (:). |
proxy.config.ssl.server. TLSv1_3.cipher_suites |
STRING |
Default: TLS_AES_256_GCM_SHA384: TLS_CHACHA20_POLY1305_SHA256: TLS_AES_128_GCM_SHA256: TLS_AES_128_CCM_8_SHA256: TLS_AES_128_CCM_SHA256 List of cipher suites to be used for TLS1.3 when proxy.config.ssl.server.custom_ciphersuites_enabled is set to 1. Use the OpenSSL format for specifying TLS1.3 cipher suites. |
proxy.config.ssl.client.custom_ ciphersuites_enabled |
INT |
Default: 0 When enabled (1), Content Gateway will consider customer cipher suites configured in proxy.config.ssl.client.cipher_suite (for TLS1.2 and below) and proxy.config.ssl.client.TLSv1_3.cipher_suites (for TLS1.3). |
proxy.config.ssl.client.cipher_suite | STRING |
Default: DEFAULT Specifies the client-to-proxy cipher setting. Values are: DEFAULT HIGH MEDIUM:HIGH In the user interface, when MEDIUM is selected, this value (MEDIUM:HIGH) is actually set in the config file. These above options must be in uppercase. In addition to the predefined options, you can apply custom cipher suites using the format recommended by OpenSSL. To enable this, set proxy.config.ssl.client.custom_ciphersuites_enabled to 1; otherwise, the configuration will be considered invalid. See SSL configuration settings for inbound traffic. |
proxy.config.ssl.client.cipherlist_suffix | STRING |
Default: :!ADH:!RC4:!3DES:!EXP:!DES:!IDEA- CBC-SHA:@STRENGTH List of ciphers not allowed for use in proxy-to-server (outbound) communication. The cipher list is determined by combining the corresponding cipherlist_ option with this list. Note these entries are case-sensitive and require the leading colon (:). |
proxy.config.ssl.client. TLSv1_3.cipher_suites |
STRING |
Default: TLS_AES_256_GCM_SHA384: TLS_CHACHA20_POLY1305_SHA256: TLS_AES_128_GCM_SHA256: TLS_AES_128_CCM_8_SHA256: TLS_AES_128_CCM_SHA256 List of cipher suites to be used for TLS1.3 when proxy.config.ssl.client.custom_ciphersuites_enabled is set to 1. Use the OpenSSL format for specifying TLS1.3 cipher suites. |
proxy.config.ssl.client. certification_level | INT |
Default: 0 Whether client certificates are not needed, optional, or required. certification level should be: 0 = no client certificates 1 = client certificates optional 2 = client certificates required |
proxy.config.ssl.client.set_sni | IINT |
Default: 1 Enables (1) or disables (0) a feature that forces the proxy to add an outbound SNI (server name indication) when requesting a server certificate be added to the Incident List. |
proxy.config.ssl_skip_dns_on_ sni | INT |
Default: 0 Enables (0) or disables (1) a DNS lookup for the CONNECT hostname when X- Server-IP is present in the header |
proxy.config.ssl.server.cert. filename | STRING |
Default: server.crt.pem The server certificate filename. |
proxy.config.ssl.server.private_ key.filename | STRING |
Default: Domainkey.pem The private key for the server certificate. |
proxy.config.ssl.server.private_ key.path | STRING |
Default: /config The private key path for the server certificate. |
proxy.config.ssl.CA.cert. filename | STRING |
Default: NULL Te name of the file containing the list of CAs that Content Gateway will accept from a client. When the connection is from the client to Content Gateway and the value of proxy. config.ssl.client.certification_level is 1 or 2, Content Gateway sends the CA list to client. |
proxy.config.ssl.CA.cert.path | STRING |
Default: NULL The path to the CA list files. See the preceding entry. |
proxy.config.ssl.catree_update | INT |
Default: 1 Enables (1) or disables (0) automatic updates of the Certificate Authority tree. See Automatic certificate updates. |
proxy.config.ssl.client.cert. policy | INT | For SSL certificate incidents, specifies whether to tunnel an incident (0), or block the request and create an entry in the incident list (1). |
proxy.config.ssl.client.verify. server | INT | Enables (1) or disables the Certificate Verification Engine (CVE). See Validating certificates. |
proxy.config.ssl.cert.verify. denycnmismatch | INT |
Default: 0 Enables (1) or disables the CVE check: “Deny certificates where the common name does not match the URL” The setting applies only when the CVE is enabled. |
proxy.config.ssl.cert.verify.add_ cert_to_database | INT |
Default: 1 Enables (1) or disables the automatic adding of new certificates to the certificate database. |
proxy.config.ssl.cert.verify. allowcnwild | INT |
Default: 0 Enables (1) or disables the CVE check: “Allow wildcard certificates” The setting applies only when the CVE is enabled. |
proxy.config.ssl.cert.verify. denyexpired | INT |
Default: 0 Enables (1) or disables the CVE check: “No expired or not yet valid certificates” The setting applies only when the CVE is enabled. |
proxy.config.ssl.cert.verify. denyselfsigned | INT |
Default: 1 Enables (1) or disables the CVE check: “Deny self-signed certificates” This setting applies only when the CVE is enabled |
proxy.config.ssl.cert.verify. denysha1cert | INT |
Default: 1 Enables (1) or disables a feature that invalidates SHA-1 intermediate certificates for HTTPS traffic. A block page is served if a SHA-1 certificate is encountered. |
proxy.config.ssl.cert.verify. certchain | INT |
Default: 1 Enables (1) or disables the CVE check: “Verify entire certificate chain” The setting applies only when the CVE is enabled. |
proxy.config.ssl.cert.verify. checkcrl | INT |
Default: 0 Enables (1) or disables the CVE check: “Check certificate revocation by CRL” The setting applies only when the CVE is enabled. |
proxy.config.ssl.cert.verify. checkocsp | INT |
Default: 0 Enables (1) or disables the CVE check: “Check certificate revocation by OCSP” The setting applies only when the CVE is enabled. |
proxy.config.ssl.cert.verify. blockunknownocsp | INT |
Default: 0 Enables (1) or disables the CVE check: “Block certificates with Unknown OCSP state” The setting applies only when the CVE is enabled. |
proxy.config.ssl.cert.verify. denymd5cert | INT |
Default: 0 Enables (1) denial of certificates that use an MD5 signiture. |
proxy.config.ssl.cert.verify. revprefer | INT |
Default: 1 The preferred method for the certificate revocation check. 1 = CRL 2 = OCSP |
proxy.config.ssl.cert.verify. blocknouri | INT |
Default: 0 Enables (1) or disables the CVE check: “Block certificates with no CRL URI and with no OCSP URI” |
proxy.config.ssl.cert.verify. bypassfail | INT |
Default: 1 Enables (1) the certificate check failure bypass option that allows users to proceed to a site after the certificate check has failed. |
proxy.config.ssl.cert.verify. bypasscache | INT |
Default: 1 Enables (1) the verification timeout cache. |
proxy.config.ssl.cert.verify. bypasscachetimeout | INT |
Default: 6 The time, in seconds, that an entry in verification bypass cache times out and is purged. |
proxy.config.ssl_decryption_ bypass.tunnel_non-ssl_traffic | INT |
Default: 0 Enables (1) or disables (0) tunneling of non-ssl traffic. This variable must be added manually. |