SSL Decryption


Configuration Variable	Data Type	Description
proxy.config.ssl.enabled	INT	Default: 1 When enabled (1), Content Gateway accepts SSL connections and performs URL filtering before establishing a connection with the origin server. See proxy.config.ssl_decryption.use_decryption to enable SSL decryption.
proxy.config.ssl_decryption.use_decryption	INT	Default: 0 When enabled (1), Content Gateway accepts and decrypts SSL traffic. See Working With Encrypted Data.
proxy.config.ssl_decryption_ports	INT	Default: 443 The HTTPS ports. Content Gateway allows SSL decryption and policy lookup only to the specified ports.
proxy.config.ssl_decryption.tunnel_TLSv13	INT	Default: 1 (Added in v8.5.3.) When enabled (1), allows for tunneling of TLSV1.3-only connections (SSL connections that offer TLSv1.3, and no other protocols, as their "client hello").
proxy.config.ssl_server_port	INT	Default: 8080 The port on which Content Gateway listens for client SSL traffic.
proxy.config.administrator_id	STRING	Default: NULL Do not change. Holds the encrypted administrator ID.
proxy.config.ssl_decryption.tunnel_unknown_protocols	INT	Default: 0 Enables (1) or disables the tunneling of unrecognized protocols using SSL ports.
proxy.config.ssl_decryption.tunnel_unknown_protocols_timeout	INT	Default: 10 Specifies the time in seconds that Content Gateway waits for the "client hello" response before tunneling the request as an unknown protocol.
proxy.config.ssl_decryption.mirror_enabled	INT	Default: 0 Enables (1) or disables SSL Decryption for Port Mirroring. Note that this feature is only available when SSL decryption is enabled and when Content Gateway is installed on an appliance. This variable should be edited only by using the appliance CLI.
proxy.config. ssl_decryption. mirror_interface	STRING	Default: NULL The appliance interface that will be used to mirror decrypted SSL traffic. This variable should be edited only by using the appliance CLI.
proxy.config. ssl_decryption. custom_request_header	STRING	Default: X-Proxy-HTTPS:1 The custom header name and value that Port Mirroring inserts into each HTTP request header sent to the monitor network interface. This variable should be edited only by using the appliance CLI.
proxy.config.ssl.server.SSLv2 (Removed n v8.5.4)	INT	Default: 0 When enabled (1), Content Gateway accepts SSLv2 connections from clients. (In this case, "server" refers to Content Gateway's role as server to the client.)
proxy.config.ssl.server.SSLv3	INT	Default: 0 When enabled (1), Content Gateway accepts SSLv3 connections from clients. (In this case, "server" refers to Content Gateway's role as server to the client.)
proxy.config.ssl.server.TLSv1	INT	Default: 0 When enabled (1), Content Gateway accepts TLSv1 connections from clients. (In this case, "server" refers to Content Gateway's role as server to the client.)
proxy.config.ssl.server.TLSv11	INT	Default: 1 When enabled (1), Content Gateway accepts TLSv1.1 connections from clients. (In this case, "server" refers to Content Gateway's role as server to the client.)
proxy.config.ssl.server.TLSv12	INT	Default: 1 When enabled (1), Content Gateway accepts TLSv1.2 connections from clients. (In this case, "server" refers to Content Gateway's role as server to the client.)
proxy.config.ssl.client.SSLv2 (Removed in v8.5.4)	INT	Default: 0 When enabled (1), Content Gateway accepts SSLv2 connections from origin servers. (In this case, "client" refers to Content Gateway's role as client to the origin server.)
proxy.config.ssl.client.SSLv3	INT	Default: 0 When enabled (1), Content Gateway accepts SSLv3 connections from origin servers. (In this case, "client" refers to Content Gateway's role as client to the origin server.)
proxy.config.ssl.client.TLSv1	INT	Default: 0 When enabled (1), Content Gateway accepts TLSv1 connections from origin servers. (In this case, "client" refers to Content Gateway's role as client to the origin server.)
proxy.config.ssl.client.TLSv11	INT	Default: 1 When enabled (1), Content Gateway accepts TLSv1.1 connections from origin servers. (In this case, "client" refers to Content Gateway's role as client to the origin server.)
proxy.config.ssl.client.TLSv12	INT	Default: 1 When enabled (1), Content Gateway accepts TLSv1.2 connections from origin servers. (In this case, "client" refers to Content Gateway's role as client to the origin server.)
proxy.config.ssl.client.TLS_padding	INT	Default: 1 When enabled (1), Content Gateway will add padding to ensure a "client hello" does not hang the connection
proxy.config.ssl.server.cipherlist_option	STRING	Default: DEFAULT Specifies the client-to-proxy cipher setting. Values are: DEAULT HIGH MEDIUM:HIGH These entries must be in uppercase. See SSL configuration settings for inbound traffic.
proxy.config.ssl.server.cipherlist_suffix	STRING	Default: :!ADH:!RC4:!EXP:!DES:@STRENGTH v8.5.4 Default: :!ADH:!RC4:!3DES:!EXP:!DES:!IDEA-CBC-SHA:@STRENGTH List of ciphers not allowed for use in client-to-proxy (inbound) communication. The cipher list is determined by combining the corresponding cipherlist_option with this list. Note these entries are case-sensitive and require the leading colon (:).
proxy.config.ssl.client.cipherlist_option	STRING	Default: DEFAULT Specifies the proxy-to-server cipher setting. Values are: DEFAULT HIGH MEDIUM:HIGH These entries must be in uppercase. See SSL configuration settings for outbound traffic.
proxy.config.ssl.client.cipherlist_suffix	STRING	Default: :!ADH:!RC4:!EXP:!DES:@STRENGTH v8.5.4 Default: :!ADH:!RC4:!3DES:!EXP:!DES:!IDEA-CBC-SHA:@STRENGTH List of ciphers not allowed for use in proxy-to-server (outbound) communication. The cipher list is determined by combining the corresponding cipherlist_option with this list. Note these entries are case-sensitive and require the leading colon (:).
proxy.config.ssl.server.session_cache (Removed in v8.5.4)	INT	Default: 1 Enables (1) or disables the SSL server session cache.
proxy.config.ssl.server.session_cache_timeout (Removed in v8.5.4)	INT	Default: 300 The SSL server session cache timeout period. The default is 300 seconds (5 minutes).
proxy.config.ssl.client.session_cache (Removed in v8.5.4)	INT	Default: 1 Enables (1) or disables the SSL client session cache.
proxy.config.ssl.client.session_cache_timeout (Removed in v8.5.4)	INT	Default: 300 The SSL client session cache timeout period. The default is 300 seconds (5 minutes).
proxy.config.ssl.client.certification_level	INT	Default: 0 Whether client certificates are not needed, optional, or required. certification level should be: 0 = no client certificates 1 = client certificates optional 2 = client certificates required
proxy.config.ssl.client.set_sni	IINT	Default: 1 Enables (1) or disables (0) a feature that forces the proxy to add an outbound SNI (server name indication) when requesting a server certificate be added to the Incident List.
proxy.config.ssl_skip_dns_on_sni	INT	Default: 0 Enables (0) or disables (1) a DNS lookup for the CONNECT hostname when X-Server-IP is present in the header
proxy.config.ssl.server.cert.filename	STRING	Default: server.crt.pem The server certificate filename.
proxy.config.ssl.server.private_key.filename	STRING	Default: Domainkey.pem The private key for the server certificate.
proxy.config.ssl.server.private_key.path	STRING	Default: /config The private key path for the server certificate.
proxy.config.ssl.CA.cert.filename	STRING	Default: NULL Te name of the file containing the list of CAs that Content Gateway will accept from a client. When the connection is from the client to Content Gateway and the value of proxy.config.ssl.client.certification_level is 1 or 2, Content Gateway sends the CA list to client.
proxy.config.ssl.CA.cert.path	STRING	Default: NULL The path to the CA list files. See the preceding entry.
proxy.config.ssl.catree_update	INT	Default: 1 Enables (1) or disables (0) automatic updates of the Certificate Authority tree. See Automatic certificate updates.
proxy.config.ssl.client.cert.policy	INT	For SSL certificate incidents, specifies whether to tunnel an incident (0), or block the request and create an entry in the incident list (1).
proxy.config.ssl.client.verify.server	INT	Enables (1) or disables the Certificate Verification Engine (CVE). See Validating certificates.
proxy.config.ssl.cert.verify.denycnmismatch	INT	Default: 0 Enables (1) or disables the CVE check: "Deny certificates where the common name does not match the URL" The setting applies only when the CVE is enabled.
proxy.config.ssl.cert.verify.add_cert_to_database	INT	Default: 1 (Added in v8.5.3) Enables (1) or disables the automatic adding of new certificates to the certificate database.
proxy.config.ssl.cert.verify.allowcnwild	INT	Default: 0 Enables (1) or disables the CVE check: "Allow wildcard certificates" The setting applies only when the CVE is enabled.
proxy.config.ssl.cert.verify.denyexpired	INT	Default: 0 Enables (1) or disables the CVE check: "No expired or not yet valid certificates" The setting applies only when the CVE is enabled.
proxy.config.ssl.cert.verify.denyselfsigned	INT	Default: 1 Enables (1) or disables the CVE check: "Deny self-signed certificates" This setting applies only when the CVE is enabled
proxy.config.ssl.cert.verify.denysha1cert	INT	Default: 1 (Added in v8.5.3.) Enables (1) or disables a feature that invalidates SHA-1 intermediate certificates for HTTPS traffic. A block page is served if a SHA-1 certificate is encountered.
proxy.config.ssl.cert.verify.certchain	INT	Default: 1 Enables (1) or disables the CVE check: "Verify entire certificate chain" The setting applies only when the CVE is enabled.
proxy.config.ssl.cert.verify.checkcrl	INT	Default: 0 Enables (1) or disables the CVE check: "Check certificate revocation by CRL" The setting applies only when the CVE is enabled.
proxy.config.ssl.cert.verify.checkocsp	INT	Default: 0 Enables (1) or disables the CVE check: "Check certificate revocation by OCSP" The setting applies only when the CVE is enabled.
proxy.config.ssl.cert.verify.blockunknownocsp	INT	Default: 0 Enables (1) or disables the CVE check: "Block certificates with Unknown OCSP state" The setting applies only when the CVE is enabled.
proxy.config.ssl.cert.verify.denymd5cert	INT	Default: 0 Enables (1) denial of certificates that use an MD5 signiture.
proxy.config.ssl.cert.verify.revprefer	INT	Default: 1 The preferred method for the certificate revocation check. 1 = CRL 2 = OCSP
proxy.config.ssl.cert.verify.blocknouri	INT	Default: 0 Enables (1) or disables the CVE check: "Block certificates with no CRL URI and with no OCSP URI"
proxy.config.ssl.cert.verify.bypassfail INT 0	INT	Default: 1 Enables (1) the certificate check failure bypass option that allows users to proceed to a site after the certificate check has failed.
proxy.config.ssl.cert.verify.bypasscache	INT	Default: 1 Enables (1) the verification timeout cache.
proxy.config.ssl.cert.verify.bypasscachetimeout	INT	Default: 6 The time, in seconds, that an entry in verification bypass cache times out and is purged.
proxy.config.ssl_decryption_bypass.tunnel_non-ssl_traffic	INT	Default: 0 Enables (1) or disables (0) tunneling of non-ssl traffic. This variable must be added manually.