Руководство Пользователя для Cisco Cisco Web Security Appliance S670
190
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
Validating Digital Certificates
Certificates can be valid or invalid. A certificate may be in invalid for different reasons. For
example, the current time may be before or after the certificate validity period, the root
authority in the certificate may not be recognized, or the Common Name of the certificate
does not match the hostname specified in the HTTP “Host” header.
example, the current time may be before or after the certificate validity period, the root
authority in the certificate may not be recognized, or the Common Name of the certificate
does not match the hostname specified in the HTTP “Host” header.
The Web Security appliance verifies that a server certificate is valid before it inspects and
decrypts an HTTPS connection from a server. You can configure how the appliance handles
connections to servers with invalid certificates. The appliance can perform one of the
following actions for invalid server certificates:
decrypts an HTTPS connection from a server. You can configure how the appliance handles
connections to servers with invalid certificates. The appliance can perform one of the
following actions for invalid server certificates:
• Drop. The appliance drops the connection and does not notify the client. This is the most
restrictive option.
• Decrypt. The appliance allows the connection, but inspects the traffic content. It decrypts
the traffic and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP
connection. For more information about how the appliance decrypts HTTPS traffic, see
“Decrypting HTTPS Traffic” on page 191.
connection. For more information about how the appliance decrypts HTTPS traffic, see
“Decrypting HTTPS Traffic” on page 191.
• Monitor. The appliance does not drop the connection, and instead it continues comparing
the server request with the Decryption Policy groups. This is the least restrictive option.
Note — When an invalid server certificate is monitored, the errors in the certificate are
maintained and passed along to the end-user.
maintained and passed along to the end-user.
For more information about configuring the appliance to handle invalid server certificates, see
“Enabling HTTPS Scanning” on page 197.
“Enabling HTTPS Scanning” on page 197.