Inspect SSL or TLS traffic

For the intrusion prevention module, you can configure SSL inspection for a given credential-port pair on one or more interfaces of your protected computer.

Compressed traffic does not support SSL inspection.

Credentials can be imported in PKCS#12 or PEM format. The credential file must include the private key. Windows computers can use CryptoAPI directly.

For an overview of the intrusion prevention module, see Block exploit attempts using intrusion prevention.

In this topic:

Configure SSL inspection

  1. In Deep Security Manager, select the computer to configure and click Details to open the computer editor.
  2. In the left pane of the computer editor, click Intrusion Prevention > Advanced > View SSL Configurations, and click View SSL Configurations to open the SSL computer Configurations window.
  3. Click New to open the SSL Configuration wizard.
  4. Specify the interface to which to apply the configuration on this computer:
    • To apply to all interfaces on this computer, select All Interface(s).
    • To apply to specific interfaces, select Specific Interface(s).
  5. Select Port(s) or Ports List and select a list, then click Next.
  6. On the IP Selection screen, select All IPs or provide a Specific IP on which to perform SSL inspection, then click Next.
  7. On the Credentials screen, select how to provide the credentials:
    • I will upload credentials now
    • The credentials are on the computer
    • The credential file must include the private key.
  8. If you chose the option to upload credentials now, enter their type, location, and pass phrase (if required).

    If the credentials are on the computer, provide Credential Details.

    • If you are using PEM or PKCS#12 credential formats stored on the computer, identify the location of the credential file and the file's pass phrase (if required).
    • If you are using Windows CryptoAPI credentials, choose the credentials from the list of credentials found on the computer.
  9. Provide a name and description for this configuration.
  10. Review the summary and close the SSL Configuration Wizard. Read the summary of the configuration operation and click Finish to close the wizard.

Change port settings

Change the port settings for the computer to ensure that the agent is performing the appropriate intrusion prevention filtering on the SSL-enabled ports. The changes you make are applied to a specific application type, such as Web Server Common, on the agent computer. The changes do not affect the application type on other computers.

  1. Go to Intrusion Prevention Rules in the computer's Details window to see the list of intrusion prevention rules being applied on this computer.
  2. Sort the rules by Application Type and locate the "Web Server Common" application type. (You can perform these changes to similar application types as well.)
  3. Right-click a rule in the application type and click Application Type Properties.
  4. Override the inherited "HTTP" Port List so that you include the port you defined during the SSL Configuration setup as well as port 80. Enter the ports as comma-separated values. For example, if you use port 9090 in the SSL configuration, enter 9090, 80.
  5. To improve performance, on the Configuration tab, deselect Inherited and Monitor responses from Web Server.
  6. Click OK to close the dialog.

Disable Diffie-Hellman ciphers

Web servers are sometimes configured to use the Diffie-Hellman (DH) key exchange and authentication protocol as the "Key Exchange Algorithm" and "Authentication Method" during an SSL or TLS handshake. SSL inspection on the Deep SecurityAgent/Appliance won't work if it is enabled, however.

On Apache web servers, the "Key Exchange Algorithm" and "Authentication Method" parameters are the first two fields of the " SSLCipherSuite " variable present in the httpd-ssl.conf file. To instruct Apache to not use Diffie-Hellman, add !ADH to these fields.

For example, to disable Diffie-Hellman, you might edit the Apache configuration file's cipher suites to look like this:

SSLCipherSuite !DH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

(The " ! " tells Apache to "not" use those ciphers.)

The file name and location of web server configuration files vary by operating system (OS) and distribution. For example, the path could be:

  • Default installation on RHEL4: /etc/httpd/conf.d/ssl.conf
  • Apache 2.2.2 on Red Hat Linux: /apache2/conf/extra/httpd-ssl.conf

For more information, see the Apache Documentation for SSLCipherSuite : http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite

Supported ciphers

Hex Value

OpenSSL Name

IANA Name

NSS Name

0x00,0x04

RC4-MD5

TLS_RSA_WITH_RC4_128_MD5

SSL_RSA_WITH_RC4_128_MD5

0x00,0x05

RC4-SHA

TLS_RSA_WITH_RC4_128_SHA

SSL_RSA_WITH_RC4_128_SHA

0x00,0x09

DES-CBC-SHA

TLS_RSA_WITH_DES_CBC_SHA

SSL_RSA_WITH_DES_CBC_SHA

0x00,0x0A

DES-CBC3-SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

0x00,0x2F

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

0x00,0x35

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

0x00,0x3C

AES128-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

0x00,0x3D

AES256-SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

0x00,0x41

CAMELLIA128-SHA

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

0x00,0x84

CAMELLIA256-SHA

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

0x00,0xBA

CAMELLIA128-SHA256

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

0x00,0xC0

not implemented

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256

0x00,0x7C

not implemented

TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256

0x00,0x7D

not implemented

TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384

TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384

0x00,0x7E

not implemented

TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256

TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256

Supported protocols

The following protocols are supported:

  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TSL 1.2