When should a Domain Name List be used instead of a Subject/Domain Name List in configuring SSL Visibility?

book

Article ID: 168942

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

If you are looking to add hundreds or thousands of domains to a list then you should use the Domain Names List since these lists are optimized to search the SSL handshakes Common Name, Server Name Indication, and Subject Alternative Name for matching conditions.
 
Here are some points to consider about Domain Names Lists:
- Domain names are exact match if there is NO delimiter (.) behind a wildcard (*). This means *bluecoat.com will match only *bluecoat.com, however *.bluecoat.com will match multiple sub domains.

- You must be careful with the wildcards since if the FQDN is bto.bluecoat.com and *.bto.bluecoat.com is entered it will not match anything.

- You can also match the exact FQDN such as bto.bluecoat.com.


Searching Domains via the Subject/Domain Name List is exactly the same but in this instance, SSL Visibility is also searching for matches in the subject certificates Distinguished Name such as CN, OU, O and C. This adds more conditions to search for and requires a second pass of the SSL handshake, which is not as efficient.
 
One point to consider about Subject/Domain Name Lists:
- DN details are exact match with the exception of CN. The CN can be a wildcard but it doesn’t have to have a delimiter like the Domain Names List. For example cn=*bluecoat.com will match bluecoat.com and multiple sub domains.