SSL configuration settings for outbound traffic

Use Configure > SSL > Decryption / Encryption > Outbound to configure SSL and TLS settings, session cache, and ciphers for outbound traffic (Content Gateway to the origin server).

Under Protocol Settings, indicate which protocols you want Content Gateway to support. Supported protocols are:

SSLv2

SSLv3 (disabled by default)

TLSv1 (enabled by default)


	Note TLSv1.1 and TLSv1.2 are also supported and enabled by default for inbound and outbound connections. You can disable this support in the records.config file: proxy.config.ssl.server.TLSv11 INT 0 proxy.config.ssl.server.TLSv12 INT 0 On Forcepoint appliances, use the CLI to set the value. On Linux servers, use the "content_line -s" command.

Select the protocols that your organization's security policy has adopted.

You must select at least one protocol.

You can select different protocols for inbound traffic.

Select Use session cache if you want to cache keys until the time specified in the Session cache timeout field expires. If keys are not cached, each request is negotiated again.

Use the Session cache timeout field to specify how long (in seconds) keys should be kept in the cache. The default is 300 seconds (5 minutes).

To disable session caching, set the session cache timeout to 0 (zero).

Under Cipher Settings, select the appropriate Cipherlist for your deployment. The cipher list describes available algorithms and level of encryption between the client and Content Gateway.

The Content Gateway DEFAULT cipher list matches the OpenSSL Default list, excluding those that Forcepoint experts believe provide the least security or encryption strength.

The strongest cipher (providing the highest level of encryption) is applied first. This can be set to a different level of encryption than for inbound traffic.

Additional cipher settings are:

HIGH encryption cipher suites are those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.

MEDIUM encryption cipher suites include the high cipher list plus additional cipher suites that use 128-bit encryption algorithms.

For outbound requests, consider using HIGH to improve security.

Note that regardless of the selected setting, specific insecure ciphers are disabled by default. Control this list via the proxy.config.ssl.client.cipherlist_suffix variable in the records.config file. See the information provided in the SSL Decryption section of Content Gateway Configuration Files for more information.

For more information on ciphers and cipher lists, refer to www.openssl.org/docs.

Click Apply.

Go to the Configure > My Proxy > Basic > General tab and click Restart.