Cisco Cisco Web Security Appliance S170 사용자 가이드
12-10
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Decrypting HTTPS Traffic
Figure 12-4
HTTPS Connection Decrypted by the Web Security Appliance
Notice that in
, there are two different HTTPS connections, one between the client and the
appliance, and one between the appliance and the server. The appliance performs the SSL handshake
twice, once with the client and again with the server:
twice, once with the client and again with the server:
•
SSL handshake with the server. When the appliance performs the SSL handshake with the server,
it acts as if it were the client sending a request to the server. After it establishes a secure connection
with the server, it can begin receiving the encrypted data. Because it acts as the client and
participates in the SSL handshake, it has agreed upon a temporary symmetric key with the server so
it can decrypt and read the data the server sends. Also, the appliance receives the server’s digital
certificate.
it acts as if it were the client sending a request to the server. After it establishes a secure connection
with the server, it can begin receiving the encrypted data. Because it acts as the client and
participates in the SSL handshake, it has agreed upon a temporary symmetric key with the server so
it can decrypt and read the data the server sends. Also, the appliance receives the server’s digital
certificate.
•
SSL handshake with the client. When the appliance performs the SSL handshake with the client,
it acts as if it were the requested server providing data the client requests. In order to perform the
SSL handshake with the client, it must send the client its own digital certificate. However, the client
expects the certificate of the requested server, so the appliance mimics the requested server’s
certificate by specifying a root certificate authority uploaded or configured by an appliance
administrator.
it acts as if it were the requested server providing data the client requests. In order to perform the
SSL handshake with the client, it must send the client its own digital certificate. However, the client
expects the certificate of the requested server, so the appliance mimics the requested server’s
certificate by specifying a root certificate authority uploaded or configured by an appliance
administrator.
For more information about how the server mimics the server’s certificate, see
Note
Because the appliance signs the server certificate with a different root certificate authority and
sends that to the client, you must verify the client applications on the network recognize the root
certificate authority. For more information, see
sends that to the client, you must verify the client applications on the network recognize the root
certificate authority. For more information, see
.
After the two separate HTTPS connections are established, the following actions occur:
1.
Encrypted data is received from the server.
2.
The temporary, symmetric key negotiated with the server is used to decrypt the data.
3.
Access Policies are applied to the decrypted traffic as if it were a plaintext HTTP connection. For
more information about Access Policies, see
more information about Access Policies, see
4.
Assuming the Access Policy group allows the client to receive the data, the data is encrypted using
the temporary, symmetric key negotiated with the client.
the temporary, symmetric key negotiated with the client.
5.
Encrypted data is sent to the client.
Note
No decrypted data is cached. However, access logs for decrypted HTTP transactions are saved to disk.
Mimicking the Server Digital Certificate
When the appliance performs the SSL handshake with the client, it mimics the server digital certificate
and sends the new certificate to the client. To mimic the server digital certificate, it reuses most field
values and changes some field values.
and sends the new certificate to the client. To mimic the server digital certificate, it reuses most field
values and changes some field values.
Client
Server
Web Security Appliance