Tab – SSL

Here, SSL settings can be modified to configure the details of the HTTPS connection for a back-end group.

 
Notice

SSL is only applied to back-end hosts that communicate over the HTTPS protocol. Therefore, these settings are validated only if at least one back-end host is configured to use HTTPS.

Section – SSL Settings

Client certificate

A selectable list of SSL/TLS certificates for this client.

Content of SSL client certificate

Shows the content of the certificate.

Content of CA chain

Shows the certificate chain.

SSL protocol

The SSL/TLS version which will be used by this back-end can be set here. If the setting is left empty, Airlock Gateway defaults will be used.

Cipher suite

List the ciphers that the client is permitted to negotiate. If the setting is left empty, the Airlock Gateway default will be used.

Restrictions:

  • Cipher-spec strings can be used with all SSL Protocol settings except TLSv1_3.
  • TLSv1.3 cipher names require setting the SSL protocol to TLSv1_3.

Force new session

Checkbox to enable/disable forced restart of SSL/TLS handshake.

 
Risk

We strongly recommend using the default TLS settings of Airlock Gateway in order to mitigate the risk of attacks based on older protocol versions. For example, SSLv3 is not supported by Airlock Gateway 8.0 and higher (configuration activation fails). If you use custom settings, you will also not automatically benefit from optimizations in future Airlock Gateway updates.

Weakening SSL/TLS settings will most likely result in low scores for scanners like ssllabs.com or pentester reporting the security issues associated with old ciphers and protocols.

A list of known attacks on SSL/TLS can be found here: Attacks on TLS and Airlock Gateway Protection Mechanisms.

Section – Server Certificate Validation

Settings to control how back-end server certificates are verified.

Setting

Description

ON/OFF

Enables or disables the server certificate validation mechanism.

 
Risk

When Server Certificate Validation is enabled, you must provide at least one valid CA certificate. Otherwise, the identity of the back-end server cannot be verified. Such an invalid SSL configuration may lead to insecure or failed connections.

When Server Certificate Validation is enabled and no or an invalid CA certificate is provided, the following applies:

  • If HTTPS is selected as Back-end Hosts protocol in the Basic tab, a validation error is reported.
  • If HTTP is selected as Back-end Hosts protocol in the Basic tab, CA certificate validation is skipped, and the invalid SSL configuration is permitted.

Verify host name

Checkbox to disable/enable hostname verification.

Hostname verification requires a server identity check in combination with a valid CA chain to mitigate man-in-the-middle attacks.

CAs for server chain validation

The certificates of the CA chain to verify the chain of trust.

Content of CA chain

Shows the certificate chain.

Further information and links