Cisco Cisco Web Security Appliance S680 Guía Del Usuario
11-7
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 11 Processing HTTPS Traffic
Managing Certificate Validation and Decryption for HTTPS
Step 2
Create a Decryption Policy and use the custom URL category created in
as part of the policy
group membership. Depending on the other Decryption Policies configured, you might want to place this
Decryption Policy at the top of the list.
Decryption Policy at the top of the list.
Step 3
Configure the Decryption Policy to pass through all traffic to the custom URL category.
Step 4
Choose pass through as the default action for the Decryption Policy.
Step 5
Submit and commit your changes.
Managing Certificate Validation and Decryption for HTTPS
The Web Security appliance validates certificates before inspecting and decrypting content.
Valid Certificates
Qualities of a valid certificate:
•
Not expired. The certificate’s validity period includes the current date.
•
Recognized certificate authority. The issuing certificate authority is included in the list of trusted
certificate authorities stored on the Web Security appliance.
certificate authorities stored on the Web Security appliance.
•
Valid signature. The digital signature was properly implemented based on cryptographic standards.
•
Consistent naming. The common name matches the hostname specified in the HTTP header.
•
Not revoked. The issuing certificate authority has not revoked the certificate.
Related Topics
•
•
•
•
Invalid Certificate Handling
The appliance can perform one of the following actions for invalid server certificates:
•
Drop. The appliance drops the connection and does not notify the client. This is the most restrictive
option.
option.
•
Decrypt. The appliance allows the connection, but inspects the traffic content. It decrypts the traffic
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection.
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection.
•
Monitor. The appliance does not drop the connection, and instead it continues comparing the server
request with the Decryption Policy groups. When an invalid server certificate is monitored, the
errors in the certificate are maintained and passed along to the end-user. This is the least restrictive
option.
request with the Decryption Policy groups. When an invalid server certificate is monitored, the
errors in the certificate are maintained and passed along to the end-user. This is the least restrictive
option.
Related topics
•