SSL Control Configuration

Firewall Settings : Firewall Settings > SSL Control

SSL Control Configuration

SSL Control is located on Firewall panel, under the SSL Control Folder. SSL Control has a global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level. The individual page controls are as follows (refer the Key Concepts for SSL Control section for more information on terms used below).

General Settings

•

Enable SSL Control – The global setting for SSL Control. This must be enabled for SSL Control applied to zones to be effective.

Action

•

Log the event – If an SSL policy violation, as defined within the Configuration section below, is detected, the event will be logged, but the SSL connection will be allowed to continue.

•

Block the connection and log the event – In the event of a policy violation, the connection will be blocked and the event will be logged.

Configuration

•

Enable Blacklist – Controls detection of the entries in the blacklist, as configured in the Configure Lists section below.

•

Enable Whitelist – Controls detection of the entries in the whitelist, as configured in the Configure Lists section below. Whitelisted entries will take precedence over all other SSL control settings.

•

Detect Expired Certificates – Controls detection of certificates whose start date is before the current system time, or whose end date is beyond the current system time. Date validation depends on the firewall’s System Time. Make sure your System Time is set correctly, preferably synchronized with NTP, on the System > Time page.

•

Detect SSLv2 – Controls detection of SSLv2 exchanges. SSLv2 is known to be susceptible to cipher downgrade attacks because it does not perform integrity checking on the handshake. Best practices recommend using SSLv3 or TLS in its place.

•

Detect Self-signed certificates – Controls the detection of certificates where both the issuer and the subject have the same common name.

•

Detect Certificates signed by an Untrusted CA – Controls the detection of certificates where the issuer’s certificate is not in the firewall’s System > Certificates trusted store.

•

Detect Weak Ciphers (<64 bits) – Controls the detection of SSL sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage.

•

Detect MD5 Digest – Controls the detection of certificates that were created using an MD5 Hash.

Custom Lists

•

Configure Blacklist and Whitelist – Allows the administrator to define strings for matching common names in SSL certificates. Entries are case-insensitive, and will be used in pattern-matching fashion, for example:

Table 63. Blacklist and Whitelist: pattern matching

Entry

Will Match

Will Not Match

sonicwall.com

https://www.sonicwall.com, https://csm.demo.sonicwall.com, https://mysonicwall.com, https://supersonicwall.computers.org, https://67.115.118.87 ¹

https://www.sonicwall.de

prox

https://proxify.org, https://www.proxify.org, https://megaproxy.com, https://1070652204 ²

https://www.freeproxy.ru ³

1

67.115.118.67 is currently the IP address to which sslvpn.demo.sonicwall.com resolves, and that site uses a certificate issued to sslvpn.demo.sonicwall.com. This will result in a match to “sonicwall.com” since matching occurs based on the common name in the certificate.

2

This is the decimal notation for the IP address 63.208.219.44, whose certificate is issued to www.megaproxy.com.

3

www.freeproxy.ru will not match “prox” since the common name on the certificate that is currently presented by this site is a self-signed certificate issued to “-“. This can, however, easily be blocked by enabling control of self-signed or Untrusted CA certificates.

To configure the Whitelist and Blacklist, click the Configure button to bring up the following window.

Entries can be added, edited and deleted with the buttons beneath each list window.

NOTE: List matching will be based on the subject common name in the certificate presented in the SSL exchange, not in the URL (resource) requested by the client.

Changes to any of the SSL Control settings will not affect currently established connections; only new SSL exchanges that occur following the change commit will be inspected and affected.

Entry	Will Match	Will Not Match
sonicwall.com	https://www.sonicwall.com, https://csm.demo.sonicwall.com, https://mysonicwall.com, https://supersonicwall.computers.org, https://67.115.118.87 ¹	https://www.sonicwall.de
prox	https://proxify.org, https://www.proxify.org, https://megaproxy.com, https://1070652204 ²	https://www.freeproxy.ru ³