Choose SSL protocol Client and Server use in an end-to-end connection

book

Article ID: 168277

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

CPL policy can be created in the ProxySG in order to specify one or a selection of SSL protocols that can be allowed or denied.

This also can be done globally, or to specific URLs, IP, etc…

For example, in an end-to-end connection:

  1. The ProxySG appliance accepts the hello from the server.
  2. The ProxySG appliance forwards the server's hello to the client.
  3. The client either accepts or rejects the server's hello.
    • The client accepts the server's hello. The appliance acknowledges both the server and client. The server and client exchange certificates and establish a connection.
    • The client rejects the server's hello. The server requests a different protocol and the client either rejects or accepts the server. If the client does not agree to any of the protocols the server requests, the ProxySG appliance drops the connection.

Environment

The ProxySG appliance has settings that you can configure to support SSL protocol. See the Editing an SSL Client section of the Administration Guide.

Note: The SSL Client settings are applicable when the ProxySG appliance is acting as an SSL Client by initiating its own SSL connections, for example, when acting as:

  • A reverse proxy
  • The Blue Coat Web Filter
  • A licensing portal

Resolution

You can also specify the preferred SSL and TLS protocol versions in the proxy.

To make this change globally you can do this via CPL or from the Management Console.

 

To edit the SSL client from  Management Console:

  • Select Configuration > SSL> SSL Client.
  • Choose Keyring to be affected.
  • Select any combination of Protocols listed.
  • Click Apply.

 

To edit the SSL client via CPL the syntax for this policy for the client is:

<ssl>

client.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1,TLSV1.2

 

And the syntax for the server is:

<ssl>

server.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1,TLSV1.2

 

To edit the SSL client for a specific URL via CPL, or any other condition, you can use the sample script:

<ssl>

url.host.substring=google.com   client.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1 deny

url.host.substring=google.com   server.connection.negotiated_ssl_version=SSLV2,SSLV3,TLSV1,TLSV1.1 deny

 

url.host.substring=google.com   client.connection.negotiated_ssl_version=TLSV1.2 allow

url.host.substring=google.com   server.connection.negotiated_ssl_version=TLSV1.2 allow