Configuring the level of protection on the SSL protocol

Stormshield Network Security firewalls are configured by default with a restrictive level of protection for the SSL protocol: they reject all types of incorrect certificates and block traffic if decryption fails.

You can customize this configuration to fit your needs:

  1. Log on to the web administration interface.
  2. In the module Configuration > Application protection > Protocols, select the SSL protocol, then the profile (0) ssl_01 (or another profile depending on your configuration).
  3. In the Proxy tab, in the Content inspection area, select the action you wish to perform in cases where the certificates presented by remote servers are:
    • Self-signed certificates. Since they have not been signed by a trusted public certificate authority (CA), they can be more easily falsified. Stormshield recommends that you block them.
    • Expired certificates. They are no longer in the certificate revocation list (CRL) so it is impossible to know if they are still valid or have been revoked. Stormshield recommends that you block them.
    • Unknown certificates. Stormshield recommends that you block them.
    • Incorrect certificate type,
    • Certificates with incorrect FQDN,
    • When the FQDN of the certificate is different from the SSL domain name.

    Three types of actions are available:

    • Block the connection,
    • Continue analysis to scan traffic,
    • Delegate to user. This action, available from version v3.8.0, forces the browser to present a security alarm in order to inform the user of any potential risks. The user then bears the responsibility of disregarding the alarm if he wishes to access the requested website anyway. In this case, the administrator will also be notified through an alarm and a specific entry in the alarm log file.
  4. Select the option Allow IP addresses in SSL domain names to access a website by using its IP address instead of its FQDN.
  5. In the Support area, indicate which actions to perform when:
    • Decryption fails,
    • The certificate cannot be classified under any of the categories in the URL database (embedded URL database or Extended Web Control).
  6. Click on Apply.