Tab – SSL

SSL settings can be modified here to configure the details of the HTTPS connection for an individual virtual host.

Enable OCSP stapling	This option enables Online Certificate Status Protocol OCSP stapling. The Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked.
Enable OCSP stapling	Note: ● OCSP servers must be whitelisted in the Section – Allowed Network Endpoints. ● External OCSP server on the internet may also be reached through an external interface if it is configured accordingly. Depending on the setup, entries in the Submenu – Hosts and Submenu – Routes may be necessary. ● Validation of client certificates using OCSP is enabled in the client certificate settings, on Certificate Settings.

Server certificate	A selectable list of SSL/TLS certificates for this virtual host.

E-mail address	The email address of the server administrator.
E-mail address	Note: This email address is used as contact information for Let's Encrypt functionality.
Content of SSL server certificate	Shows the content of the certificate.

Content of CA chain	Shows the chain of trust of the certificate chain.
Content of CA chain	Note: OCSP requires valid chain information for certificate validation - see also Tab – Client Certificates.

Content of SSL root CA certificate	Shows the content of the certificate.

SSL protocol	The SSL/TLS version which will be used by this virtual host can be set here. ● Radio button Default – Apache default values will be used. ● Radio button Custom – set custom values in the SSL protocol field below.
SSL protocol	Note: See the Apache mod_ssl documentation for complete documentation.

Cipher suite	List the ciphers that the client is permitted to negotiate. ● Radio button Default – default Airlock cipher suite, optimized for security and backward compatibility with clients. ● Radio button Custom – set custom values in the cipher suite field below.
Cipher suite	Note: See the Apache mod_ssl documentation for complete documentation.

Note that the Airlock Gateway default SSL/TLS settings are optimized for compatibility and security. If you override the default settings you will no longer profit from these optimizations in further Airlock Gateway updates.

We strongly recommend using the default TLS settings of Airlock Gateway in order to mitigate the risk of attacks based on older protocol versions. A list of known attacks on SSL/TLS can be found here: Attacks on TLS and Airlock Gateway Protection Mechanisms

Weakening SSL/TLS settings will most likely result in low scores for scanners like ssllabs.com or pentester reporting the security issues associated with old ciphers and protocols.

Further information and links

●
For more information about SSL protocol and Cipher suite settings: Activation of old SSL/TLS and cipher suites
●
For more information about SSL protocol settings: Supported SSL/TLS versions
●
TLS/SSL Certificate creation
●
Let's Encrypt as certificate provider
●
Add or configure a new global SSL/TLS server certificate
●
Add or configure a new global SSL/TLS client certificate
●
External Apache documentation: Apache mod_ssl