Tab – SSL

SSL settings can be modified here to configure the details of the HTTPS connection for an individual back-end server.

Tab SSL back-end detail page

Section – SSL Settings

Client certificate
A selectable list of SSL/TLS certificates for this client.
Content of SSL client certificate
Shows the content of the certificate.
Content of CA chain
Shows the chain of trust of the certificate chain.
SSL protocol
The SSL/TLS version which will be used by this virtual host can be set here. If the setting is left empty, the Apache default values will be used. See the Apache mod_ssl documentation for complete documentation.
Cipher suite
List the ciphers that the client is permitted to negotiate. If the setting is left empty, the Apache default will be used. Follow the link to the Apache mod_ssl reference at the end of this article for more information.
  • Restrictions:
  • Cipher-spec strings can be used with all SSL Protocol settings except TLSv1_3.
  • TLSv1.3 cipher names require to set the SSL protocol to TLSv1_3.
Force new session
Checkbox to enable/disable forced restart of SSL/TLS handshake.
Verify host name
Checkbox to disable/enable hostname verification. Default is enabled.
Hostname verification requires a server identity check in combination with a valid CA chain to mitigate man-in-the-middle attacks. Without a CA, the configuration validation will fail. See also CAs for server chain validation.
Allow insecure server certificate verification
Checkbox to enable/disable insecure server certificate verification.
Note that by enabling this option you explicitly allow skipping the hostname and CA server chain validation.

Note that the Airlock Gateway default SSL/TLS settings are optimized for compatibility and security. If you override the default settings you will no longer profit from these optimizations in further Airlock Gateway updates.

We strongly recommend using the default TLS settings of Airlock Gateway in order to mitigate the risk of attacks based on older protocol versions. A list of known attacks on SSL/TLS can be found here: Attacks on TLS and Airlock Gateway Protection Mechanisms

Weakening SSL/TLS settings will most likely result in low scores for scanners like ssllabs.com or pentester reporting the security issues associated with old ciphers and protocols.

Section – Certificate Authority

With this tool, the back-end server certificate chain can be validated.

CAs for server chain validation
Certificate chain verification to make sure a given certificate chain is valid, properly signed, and trustworthy. A CA has to be added when Verify host name is enabled, otherwise, the configuration validation will fail.
Content of CA chain
Shows the chain of trust of the certificate chain.

Further information and links