Cisco Cisco Web Security Appliance S690 User Guide

190

I R O N P O R T   A S Y N C O S   6 . 3   F O R   W E B   U S E R   G U I D E  

Certificates can be valid or invalid. A certificate may be in invalid for different reasons. For 
example, the current time may be before or after the certificate validity period, the root 
authority in the certificate may not be recognized, or the Common Name of the certificate 
does not match the hostname specified in the HTTP “Host” header.

The Web Security appliance verifies that a server certificate is valid before it inspects and 
decrypts an HTTPS connection from a server. You can configure how the appliance handles 
connections to servers with invalid certificates. The appliance can perform one of the 
following actions for invalid server certificates:

• Drop. The appliance drops the connection and does not notify the client. This is the most 

restrictive option.

• Decrypt. The appliance allows the connection, but inspects the traffic content. It decrypts 

the traffic and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP 
connection. For more information about how the appliance decrypts HTTPS traffic, see 
“Decrypting HTTPS Traffic” on page 191.

• Monitor. The appliance does not drop the connection, and instead it continues comparing 

the server request with the Decryption Policy groups. This is the least restrictive option.

Note — When an invalid server certificate is monitored, the errors in the certificate are 
maintained and passed along to the end-user.

For more information about configuring the appliance to handle invalid server certificates, see 
“Enabling HTTPS Scanning” on page 197.