Cisco Cisco Web Security Appliance S680 Guía Del Usuario
10-15
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Chapter 10 Decryption Policies
Decrypting HTTPS Traffic
4.
Assuming the Access Policy group allows the client to receive the data, the
data is encrypted using the temporary, symmetric key negotiated with the
client.
data is encrypted using the temporary, symmetric key negotiated with the
client.
5.
Encrypted data is sent to the client.
Note
No decrypted data is cached. However, access logs for decrypted HTTP
transactions are saved to disk.
transactions are saved to disk.
Mimicking the Server Digital Certificate
When the appliance performs the SSL handshake with the client, it mimics the
server digital certificate and sends the new certificate to the client. To mimic the
server digital certificate, it reuses most field values and changes some field values.
server digital certificate and sends the new certificate to the client. To mimic the
server digital certificate, it reuses most field values and changes some field values.
The mimicked certificate is the same as the server certificate except for the
following fields:
following fields:
•
Issuer. The issuer comes from the generated or uploaded root certificate
configured in the appliance.
configured in the appliance.
•
Signature Algorithm. This field is always “sha1WithRSAEncryption” or
“dsaWithSHA1” depending upon on whether the root certificate the appliance
uses contains an RSA or DSA key.
“dsaWithSHA1” depending upon on whether the root certificate the appliance
uses contains an RSA or DSA key.
•
Public Key. The appliance replaces the public key in the original certificate
with a public key it generates that matches bit strength from the original
certificate and for which it has a matching private key generated as well. For
example, if the server certificate uses a 2048 bit RSA key, the appliance
generates a new 2048 bit RSA key.
with a public key it generates that matches bit strength from the original
certificate and for which it has a matching private key generated as well. For
example, if the server certificate uses a 2048 bit RSA key, the appliance
generates a new 2048 bit RSA key.
•
X509v3 Extensions. All X509v3 extensions are removed except for the
following:
following:
–
Basic Constraints
–
Subject Alternative Name
–
Key Usage
–
Subject Key Identifier
–
Extended Key Usage