Tab – SSL

SSL settings can be modified here to configure the details of the HTTPS connection for an individual virtual host.

Example with Server certificate enabled:

Example with ACME service enabled:

Setting

Description

Enable OCSP stapling

This option enables Online Certificate Status Protocol OCSP stapling.

The Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked.

Note:

  • OCSP servers must be in the list of allowed network endpoints. See Section – Allowed Network Endpoints.
  • External OCSP server on the internet may also be reached through an external interface if it is configured accordingly. Depending on the setup, entries in the Submenu – Hosts and Submenu – Routes may be necessary.
  • Validation of client certificates using OCSP is enabled in the client certificate settings, on Certificate Settings.
  • OCSP stapling and ACME services cannot be enabled at the same time.

Certificate type

Server certificate, the SSL/TLS certificate for this virtual host.

  • Server certificate drop-down for certificate selection.
  • Content of SSL server certificate.
  • Content of CA chain.
  •  
    Notice

    OCSP requires valid chain information for certificate validation - see also Tab – Client Certificates.

  • Content of SSL root CA certificate.

ACME service as configured in Tab – ACME Services (virtual hosts).

 
Risk

If the TLS certificate presented by the configured ACME service endpoint is issued by a certification CA that is not trusted by the Gateway instance, Airlock Gateway cannot establish the TLS connection to the ACME service. As a result, certificate issuance or renewal fails and the affected virtual host may no longer provide HTTPS as intended. See ACME Service configuration for details.

  • ACME service drop-down for service selection.
  • ACME challenge type used by the selected ACME service to validate domain ownership during certificate issuance. Two challenge types are available:
    • TLS-ALPN-01 (default):
      The ACME server validates domain ownership by initiating a TLS handshake and verifying a special certificate presented by the gateway. This method requires the gateway to be directly reachable on port 443.
    • DNS-01:
      The ACME server verifies domain ownership by checking a DNS TXT record under the domain. This method is typically used when TLS-ALPN-01 is not feasible — for example, when the gateway is not publicly accessible or port 443 is blocked.
      Note: This challenge type requires both the ACME service and the DNS provider to support DNS-01 validation.
  • E-mail address of the server administrator. This address is used as contact information for the ACME service. The address can be set individually for each virtual host.
  • Comment on the selected ACME service (only refreshed on validation).
 
Info

For each ACME service used by a virtual host, a firewall rule is set to allow the network endpoint. The host and port information is automatically extracted from the URL field. It is not necessary to add the ACME service to the list of allowed network endpoints.

 
Notice

By using an ACME service, you automatically agree to the terms and conditions of use for the service.

For the Let's Encrypt subscriber agreement, see the Let's Encrypt policy and legal documentation.

SSL protocol

The SSL/TLS version which will be used by this virtual host can be set here.

  • Radio button Default – Airlock Gateway default values will be used.
  • Radio button Custom – set custom values in the SSL protocol field below.

Cipher suite

List the ciphers that the client is permitted to negotiate.

  • Radio button Default – default Airlock Gateway cipher suite, optimized for security and backward compatibility with clients.
  • Radio button Custom – set custom values in the cipher suite field below.
 
Risk

We strongly recommend using the default TLS settings of Airlock Gateway in order to mitigate the risk of attacks based on older protocol versions. For example, SSLv3 is not supported by Airlock Gateway 8.0 and higher (configuration activation fails). If you use custom settings, you will also not automatically benefit from optimizations in future Airlock Gateway updates.

Weakening SSL/TLS settings will most likely result in low scores for scanners like ssllabs.com or pentester reporting the security issues associated with old ciphers and protocols.

A list of known attacks on SSL/TLS can be found here: Attacks on TLS and Airlock Gateway Protection Mechanisms.