Tab – SSL

SSL settings can be modified here to configure the details of the HTTPS connection for an individual back-end server.

Tab SSL back-end detail page

Section – SSL Settings

Client certificate

A selectable list of SSL/TLS certificates for this client.

Content of SSL client certificate

Shows the content of the certificate.

Content of CA chain

Shows the certificate chain.

SSL protocol

The SSL/TLS version which will be used by this back-end can be set here. If the setting is left empty, Airlock Gateway defaults will be used.

Cipher suite

List the ciphers that the client is permitted to negotiate. If the setting is left empty, the Airlock Gateway default will be used.

  • Restrictions:
  • Cipher-spec strings can be used with all SSL Protocol settings except TLSv1_3.
  • TLSv1.3 cipher names require setting the SSL protocol to TLSv1_3.

Force new session

Checkbox to enable/disable forced restart of SSL/TLS handshake.

We strongly recommend using the default TLS settings of Airlock Gateway in order to mitigate the risk of attacks based on older protocol versions. For example, SSLv3 is not supported by Airlock Gateway 8.0 and higher (configuration activation fails). If you use custom settings, you will also not automatically benefit from optimizations in future Airlock Gateway updates.

Weakening SSL/TLS settings will most likely result in low scores for scanners like or pentester reporting the security issues associated with old ciphers and protocols.

A list of known attacks on SSL/TLS can be found here: Attacks on TLS and Airlock Gateway Protection Mechanisms.

Section – Server Certificate Validation

Settings to control how back-end server certificates are verified.


Enables or disables the server certificate validation mechanism.

Verify host name

Checkbox to disable/enable hostname verification.

Hostname verification requires a server identity check in combination with a valid CA chain to mitigate man-in-the-middle attacks. A CA certificate is mandatory when Verify host name is enabled.

CAs for server chain validation

The certificates of the CA chain to verify the chain of trust. A CA certificate is mandatory when Verify host name is enabled.

Content of CA chain

Shows the certificate chain.