Tab – SSL

SSL settings can be modified here to configure the details of the HTTPS connection for an individual back-end server.

Section – SSL Settings

Client certificate	A selectable list of SSL/TLS certificates for this client.
Content of SSL client certificate	Shows the content of the certificate.
Content of CA chain	Shows the chain of trust of the certificate chain.
SSL protocol	The SSL/TLS version which will be used by this virtual host can be set here. If the setting is left empty, the Apache default values will be used. See the Apache mod_ssl documentation for complete documentation.
Cipher suite	List the ciphers that the client is permitted to negotiate. If the setting is left empty, the Apache default will be used. Follow the link to the Apache mod_ssl reference at the end of this article for more information. Restrictions: Cipher-spec strings can be used with all SSL Protocol settings except TLSv1_3. TLSv1.3 cipher names require to set the SSL protocol to TLSv1_3.
Force new session	Checkbox to enable/disable forced restart of SSL/TLS handshake.
Verify host name	Checkbox to disable/enable hostname verification. Default is enabled. Hostname verification requires a server identity check in combination with a valid CA chain to mitigate man-in-the-middle attacks. Without a CA, the configuration validation will fail. See also CAs for server chain validation.
Allow insecure server certificate verification	Checkbox to enable/disable insecure server certificate verification. Note that by enabling this option you explicitly allow skipping the hostname and CA server chain validation.

Note that the Airlock Gateway default SSL/TLS settings are optimized for compatibility and security. If you override the default settings you will no longer profit from these optimizations in further Airlock Gateway updates.

We strongly recommend using the default TLS settings of Airlock Gateway in order to mitigate the risk of attacks based on older protocol versions. A list of known attacks on SSL/TLS can be found here: Attacks on TLS and Airlock Gateway Protection Mechanisms

Weakening SSL/TLS settings will most likely result in low scores for scanners like ssllabs.com or pentester reporting the security issues associated with old ciphers and protocols.

Section – Certificate Authority

With this tool, the back-end server certificate chain can be validated.

CAs for server chain validation	Certificate chain verification to make sure a given certificate chain is valid, properly signed, and trustworthy. A CA has to be added when Verify host name is enabled, otherwise, the configuration validation will fail.
Content of CA chain	Shows the chain of trust of the certificate chain.

Further information and links

For more information about SSL protocol and Cipher suite settings: Activation of old SSL/TLS and cipher suites
For more information about SSL protocol settings: Supported SSL/TLS versions
TLS/SSL Certificate creation
Let's Encrypt as certificate provider
Add or configure a new global SSL/TLS server certificate
Add or configure a new global SSL/TLS client certificate
External Apache documentation: Apache mod_ssl