Cisco Cisco Web Security Appliance S380 User Guide
Chapter 10 Decryption Policies
Enabling the HTTPS Proxy
10-26
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Step 10
In the Invalid Certificate Handling section, choose how the appliance handle
HTTPS traffic when it encounters invalid server certificates. You can drop,
decrypt, or monitor HTTPS traffic for the following types of invalid server
certificates:
HTTPS traffic when it encounters invalid server certificates. You can drop,
decrypt, or monitor HTTPS traffic for the following types of invalid server
certificates:
•
Expired. The certificate is either not yet valid, or it is currently past its valid
to date.
to date.
•
Mismatched hostname. The hostname in the certificate does not match the
hostname the client was trying to access. This might happen during a “man in
the middle attack,” or when a server redirects a request to a different URL.
For example, http://mail.google.com gets redirected to
http://www.gmail.com.
hostname the client was trying to access. This might happen during a “man in
the middle attack,” or when a server redirects a request to a different URL.
For example, http://mail.google.com gets redirected to
http://www.gmail.com.
Note — The Web Proxy can only perform hostname match when it is
deployed in explicit forward mode. When it is deployed in transparent mode,
it does not know the hostname of the destination server (it only knows the IP
address), so it cannot compare it to the hostname in the server certificate.
deployed in explicit forward mode. When it is deployed in transparent mode,
it does not know the hostname of the destination server (it only knows the IP
address), so it cannot compare it to the hostname in the server certificate.
•
Unrecognized root authority. The root certificate authority for the
certificate is not in the set of trusted root authorities on the appliance.
certificate is not in the set of trusted root authorities on the appliance.
•
All other error types. Most other error types are due to the appliance not
being able to complete the SSL handshake with the HTTPS server. For more
information about additional error scenarios for server certificates, see
http://www.openssl.org/docs/apps/verify.html.
being able to complete the SSL handshake with the HTTPS server. For more
information about additional error scenarios for server certificates, see
http://www.openssl.org/docs/apps/verify.html.
Note
When a certificate is both expired and has an unrecognized root authority,
the Web Security appliance performs the action specified for an
unrecognized root authority.
the Web Security appliance performs the action specified for an
unrecognized root authority.
For more information about handling invalid server certificates, see
Step 11
Submit and commit your changes.