Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Inspect SSL traffic
You can configure SSL inspection for a given credential-port pair on one or more interfaces of your protected computer.
Credentials can be imported in PKCS#12 or PEM format. The credential file must include the private key. Windows computers can use CryptoAPI directly.
In this topic:
Configure SSL inspection
- In Deep Security Manager, select the computer to configure and click Details to open the computer editor.
- In the left pane of the computer editor, select Intrusion Prevention > Advanced > View SSL Configurations, and click View SSL Configurations to display the SSL computer Configurations window.
- Click New to display the first page of the SSL Configuration wizard.
- Specify the interface to which to apply the interfaces on this computer:
- To apply to all interfaces on this computer, select All Interface(s).
- To apply to specific interfaces, select Specific Interface(s).
- Select Port(s) or Ports List and select a list, then click Next.
- On the IP Selection screen, select All IPs or provide a Specific IP on which SSL intrusion prevention analysis should take place, then click Next.
- On the Credentials screen, select the method of providing credentials:
- I will upload credentials now
- The credentials are on the computer
The credential file must include the private key. - If you will upload credentials now, enter their type, location, and pass phrase (if required).
- If the credentials are on the computer, provide Credential Details.
- If you are using PEM or PKCS#12 credential formats stored on the computer, identify the location of the credential file and the file's pass phrase (if required).
- If you are using Windows CryptoAPI credentials, choose the credentials from the list of credentials found on the computer.
- Provide a name and description for this configuration.
- Look over the Summary and close the SSL Configuration Wizard. Read the summary of the configuration operation and click Finish to close the wizard.
Change port settings
Change the port settings for the computer to ensure that the agent is performing the appropriate intrusion prevention filtering on the SSL-enabled ports. The changes you make are applied to a specific application type, such as Web Server Common, on the agent computer. The changes do not affect the application type on other computers.
- Go to Intrusion Prevention Rules in the computer's Details window to see the list of intrusion prevention rules being applied on this computer.
- Sort the rules by Application Type. Scroll down the list to find the application type that are running on this computer, such as "Web Server Common".
- Override the inherited "HTTP" Port List so that you include the port you defined during the SSL Configuration setup as well as port 80. Enter the ports as comma-separated values. For example, if you use port 9090 in the SSL configuration, enter 9090, 80.
- Click OK to close the dialog.
Supported ciphers
|
Hex Value |
OpenSSL Name |
IANA Name |
NSS Name |
|---|---|---|---|
|
0x00,0x04 |
RC4-MD5 |
TLS_RSA_WITH_RC4_128_MD5 |
SSL_RSA_WITH_RC4_128_MD5 |
|
0x00,0x05 |
RC4-SHA |
TLS_RSA_WITH_RC4_128_SHA |
SSL_RSA_WITH_RC4_128_SHA |
|
0x00,0x09 |
DES-CBC-SHA |
TLS_RSA_WITH_DES_CBC_SHA |
SSL_RSA_WITH_DES_CBC_SHA |
|
0x00,0x0A |
DES-CBC3-SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
SSL_RSA_WITH_3DES_EDE_CBC_SHA |
|
0x00,0x2F |
AES128-SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
|
0x00,0x35 |
AES256-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
|
0x00,0x3C |
AES128-SHA256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
0x00,0x3D |
AES256-SHA256 |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
0x00,0x41 |
CAMELLIA128-SHA |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA |
|
0x00,0x84 |
CAMELLIA256-SHA |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA |
|
0x00,0xBA |
CAMELLIA128-SHA256 |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 |
|
0x00,0xC0 |
not implemented |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 |
|
0x00,0x7C |
not implemented |
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 |
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 |
|
0x00,0x7D |
not implemented |
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 |
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 |
|
0x00,0x7E |
not implemented |
TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 |
TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 |
Supported protocols
|
Protocol |
|---|
|
SSL 3.0 |
|
TLS 1.0 |
|
TLS 1.1 |
|
TLS 1.2 |
