Cisco Cisco Web Security Appliance S670 User Guide
D E C R Y P T I N G H T T P S T R A F F I C
C H A P T E R 1 0 : D E C R Y P T I O N P O L I C I E S
191
D E C R Y P T I N G H T T P S TR A F F I C
The request and response data is encrypted for HTTPS connections before it is sent across the
network. Because the data is encrypted, third parties can view the data, but cannot decrypt it
to read its contents without the private key of the HTTPS server.
network. Because the data is encrypted, third parties can view the data, but cannot decrypt it
to read its contents without the private key of the HTTPS server.
Figure 10-3 shows an HTTPS connection between a client and a HTTPS server.
Figure 10-3 HTTPS Connection
The Web Security appliance does not have access to the server’s private key, so in order to
inspect the traffic between the client and the server, it must intercept the connection and
break the connection into two separate connections. The appliance acts as an intermediary
between the client and the server pretending to be the server to the client, and the client to
the server. This is sometimes referred to as being the “man in the middle.”
inspect the traffic between the client and the server, it must intercept the connection and
break the connection into two separate connections. The appliance acts as an intermediary
between the client and the server pretending to be the server to the client, and the client to
the server. This is sometimes referred to as being the “man in the middle.”
Figure 10-4 shows an HTTPS connection between a client and a HTTPS server that goes
through the Web Security appliance.
through the Web Security appliance.
Figure 10-4 HTTPS Connection Decrypted by the Web Security Appliance
Notice that in Figure 10-4, there are two different HTTPS connections, one between the client
and the appliance, and one between the appliance and the server. The appliance performs the
SSL handshake twice, once with the client and again with the server:
and the appliance, and one between the appliance and the server. The appliance performs the
SSL handshake twice, once with the client and again with the server:
• SSL handshake with the server. When the appliance performs the SSL handshake with the
server, it acts as if it were the client sending a request to the server. After it establishes a
secure connection with the server, it can begin receiving the encrypted data. Because it
acts as the client and participates in the SSL handshake, it has agreed upon a temporary
symmetric key with the server so it can decrypt and read the data the server sends. Also,
the appliance receives the server’s digital certificate.
secure connection with the server, it can begin receiving the encrypted data. Because it
acts as the client and participates in the SSL handshake, it has agreed upon a temporary
symmetric key with the server so it can decrypt and read the data the server sends. Also,
the appliance receives the server’s digital certificate.
• SSL handshake with the client. When the appliance performs the SSL handshake with the
client, it acts as if it were the requested server providing data the client requests. In order
Client
Server
Client
Server
Web Security Appliance