Inspect SSL traffic

You can configure SSL inspection for a given credential-port pair on one or more interfaces of your protected computer.

Compressed traffic does not support SSL inspection.

Credentials can be imported in PKCS#12 or PEM format. Windows computers can use CryptoAPI directly.

In this article:

  1. In the Deep Security Manager, select the computer you would like to configure and click Details to open the computer editor.
  2. In the left pane of the computer editor, select Intrusion Prevention > Advanced > View SSL Configurations, and click View SSL Configurations to display the SSL computer Configurations window.
  3. Click New to display the first page of the SSL Configuration wizard.
  4. If you would like this configuration to apply to all interfaces on this computer, select All Interface(s).
    If you would like this configuration to apply to specific interfaces, select Specific Interface(s).
    Select Port(s) or Ports List and select a lis.


  5. Click Next.
  6. On the IP Selection screen, select All IPs or provide a Specific IP on which SSL intrusion prevention analysis should take place.
  7. Click Next.
  8. On the Credentials screen, select the method of providing credentials:
    • I will upload credentials now
    • The credentials are on the computer
  9. If you will upload credentials now, enter their type, location, and pass phrase (if required).
  10. If the credentials are on the computer, provide Credential Details.
    • If you are using PEM or PKCS#12 credential formats stored on the computer, identify the location of the credential file and the file's pass phrase (if required).
    • If you are using Windows CryptoAPI credentials, choose the credentials from the list of credentials found on the computer.
  11. Name and Describe this Configuration. Give a name to and provide a description of this new SSL configuration.
  12. Look over the Summary and Close the SSL Configuration Wizard. Read the summary of the configuration operation and click Finish to close the wizard.
  13. Change Port Settings in the computer Details window to Monitor SSL Ports.
  14. Finally, you need to ensure that the agent is performing the appropriate intrusion prevention filtering on the SSL-enabled port(s).
  15. Go to Intrusion Prevention Rules in the computer's Details window to see the list of intrusion prevention rules being applied on this computer.
  16. Sort the rules by Application Type. Scroll down the list to find the Application Type(s) running on this computer (in this example, we will use "Web Server Common").
  17. Instead of using the inherited "HTTP" Port List, override it to include the port you defined during the SSL Configuration setup (port 9090 in this example) as well as port 80. Enter ports 9090 and 80 as comma-separated values and click OK to close the dialog. (Since you selected Application Type Properties, the changes you made will only be applied to this computer. The "Web Server Common" Application Type will remain unchanged on other computers).
  18. This computer is now configured for filtering SSL encrypted data streams.

    Supported Ciphers

    Hex Value

    OpenSSL Name

    IANA Name

    NSS Name

    0x00,0x04

    RC4-MD5

    TLS_RSA_WITH_RC4_128_MD5

    SSL_RSA_WITH_RC4_128_MD5

    0x00,0x05

    RC4-SHA

    TLS_RSA_WITH_RC4_128_SHA

    SSL_RSA_WITH_RC4_128_SHA

    0x00,0x09

    DES-CBC-SHA

    TLS_RSA_WITH_DES_CBC_SHA

    SSL_RSA_WITH_DES_CBC_SHA

    0x00,0x0A

    DES-CBC3-SHA

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

    SSL_RSA_WITH_3DES_EDE_CBC_SHA

    0x00,0x2F

    AES128-SHA

    TLS_RSA_WITH_AES_128_CBC_SHA

    TLS_RSA_WITH_AES_128_CBC_SHA

    0x00,0x35

    AES256-SHA

    TLS_RSA_WITH_AES_256_CBC_SHA

    TLS_RSA_WITH_AES_256_CBC_SHA

    0x00,0x3C

    AES128-SHA256

    TLS_RSA_WITH_AES_128_CBC_SHA256

    TLS_RSA_WITH_AES_128_CBC_SHA256

    0x00,0x3D

    AES256-SHA256

    TLS_RSA_WITH_AES_256_CBC_SHA256

    TLS_RSA_WITH_AES_256_CBC_SHA256

    0x00,0x41

    CAMELLIA128-SHA

    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

    0x00,0x84

    CAMELLIA256-SHA

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

    0x00,0xBA

    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

    0x00,0xC0

    DES-CBC3-MD5

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256

    0x00,0x7C

    TLS_RSA_WITH_3DES_EDE_CBC_RMD160

    0x00,0x7D

    TLS_RSA_WITH_AES_128_CBC_RMD160

    0x00,0x7E

    TLS_RSA_WITH_AES_256_CBC_RMD160

    Supported Protocols

    Protocol

    SSL 3.0

    TLS 1.0

    TLS 1.1

    TLS 1.2