Configuring the level of protection on the SSL protocol

Stormshield Network Security firewalls are configured by default with a restrictive level of protection for the SSL protocol: they reject all types of incorrect certificates and block traffic if decryption fails.

You can customize this configuration to fit your needs:

  1. Log on to the web administration interface.
  2. In the module Configuration > Application protection > Protocols, select the SSL protocol, then the profile (0) ssl_01 (or another profile depending on your configuration).
  3. In the Proxy tab, in the Content inspection area, indicate whether you wish to Block the connection or Continue analysis to scan traffic in cases where the certificates presented by remote servers are:
    • Self-signed certificates. Since they have not been signed by a trusted public certificate authority (CA), they can be more easily falsified. Stormshield recommends that you block them.
    • Expired certificates. They are no longer in the certificate revocation list (CRL) so it is impossible to know if they are still valid or have been revoked. Stormshield recommends that you block them.
    • Unknown certificates. Stormshield recommends that you block them.
    • Incorrect certificate type,
    • Certificates with incorrect FQDN,
    • When the FQDN of the certificate is different from the SSL domain name.
  4. Select the option Allow IP addresses in SSL domain names to access a website by using its IP address instead of its FQDN.
  5. In the Support area, indicate which actions to perform when:
    • Decryption fails,
    • The certificate cannot be classified under any of the categories in the URL database (embedded URL database or Extended Web Control).
  6. Click on Apply.