Cisco SSL Appliance 2000 Guide De Montage
Version 3.6
Sourcefire SSL Appliance Release Notes
10
Web Browser Compatibility
•
PKI objects (certificates or keys) can be removed even if they are still
referenced by the active policy. The SSL engine does not fail if the policy is
invalid, but all rules using invalid or missing PKI objects are ignored.
•
If more than one administrator is making changes to the SSL appliance
configuration, they will have to log out and log in again before changes
made by the other person are reflected in the user interface.
•
A segment configured to use any of the Active-Inline (AI) modes rejects,
under load, some of the SSL sessions because of packet feedback
timeouts. This means that decrypted packets sent to the attached device
(such as IPS) do not return in time to complete the feedback loop required
to trigger a re-encrypt of the original packets.
•
A TCP FIN/FIN-ACK/ACK sequence is generated at the end of each
decrypted SSL session. The three packets in this sequence may arrive at
the attached device (e.g. IDS) out of sequence. This should not pose
problems for TCP reassembly devices.
•
Updates to the system log are only reflected on the last page, and only after
pressing the
Last
button.
•
Internal CA certificates are not automatically checked for expiration. As a
workaround, periodically check the certificates on the user interface.
•
Only network interfaces used by active segments will change color on the
user interface dashboard, based on the status of the interface.
•
SSL session logs may capture false positives, which are flows that look like
SSL but are not SSL. Each session log entry also contains a flag that
indicates whether the session has been confirmed as valid SSL, specifically
whether the policy decision has been applied to the session. This flag does
not appear on the user interface, but SSL session log post-processing tools
can use this flag to filter out all false positives.
•
When the SSL appliance recovers from an overload condition it may flag
some SSL sessions with the
Invalid cryptographic response
error
code.
Web Browser Compatibility
Version 3.6.3 of the web interface for the SSL appliance is compatible with the
following browsers:
•
Firefox 11.x
•
Chrome 18.x
•
Microsoft Internet Explorer 8.x and 9.x