Cisco Cisco Web Security Appliance S160 Guía Del Usuario
Chapter 10 Decryption Policies
Digital Certificates
10-12
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
The Web Security appliance also installs with a set of trusted root certificates.
However, you can upload additional root certificates that the Web Proxy deems to
be trusted. For more information about this, see
However, you can upload additional root certificates that the Web Proxy deems to
be trusted. For more information about this, see
.
Validating Digital Certificates
Certificates can be valid or invalid. A certificate may be in invalid for different
reasons. For example, the current time may be before or after the certificate
validity period, the root authority in the certificate may not be recognized, or the
Common Name of the certificate does not match the hostname specified in the
HTTP “Host” header.
reasons. For example, the current time may be before or after the certificate
validity period, the root authority in the certificate may not be recognized, or the
Common Name of the certificate does not match the hostname specified in the
HTTP “Host” header.
The Web Security appliance verifies that a server certificate is valid before it
inspects and decrypts an HTTPS connection from a server. You can configure how
the appliance handles connections to servers with invalid certificates. The
appliance can perform one of the following actions for invalid server certificates:
inspects and decrypts an HTTPS connection from a server. You can configure how
the appliance handles connections to servers with invalid certificates. The
appliance can perform one of the following actions for invalid server certificates:
•
Drop. The appliance drops the connection and does not notify the client. This
is the most restrictive option.
is the most restrictive option.
•
Decrypt. The appliance allows the connection, but inspects the traffic
content. It decrypts the traffic and applies Access Policies to the decrypted
traffic as if it were a plaintext HTTP connection. For more information about
how the appliance decrypts HTTPS traffic, see
content. It decrypts the traffic and applies Access Policies to the decrypted
traffic as if it were a plaintext HTTP connection. For more information about
how the appliance decrypts HTTPS traffic, see
•
Monitor. The appliance does not drop the connection, and instead it
continues comparing the server request with the Decryption Policy groups.
This is the least restrictive option.
continues comparing the server request with the Decryption Policy groups.
This is the least restrictive option.
Note
When an invalid server certificate is monitored, the errors in the
certificate are maintained and passed along to the end-user.
certificate are maintained and passed along to the end-user.
For more information about configuring the appliance to handle invalid server
certificates, see
certificates, see
.