Follow

What are the Advanced SSL Settings?

Question

  • What are the Advanced SSL Settings on the Front End SSL Profile configuration page?

 

Environment

  • Silverline WAF
  • Proxy / Proxies
    • SSL Profile

 

Answer

Advanced SSL Settings

Field

Meaning

Renegotiation

Enable

The Renegotiation setting can be configured to control whether the proxy allows midstream session renegotiation. When Renegotiation is enabled, Silverline processes mid-stream SSL renegotiation requests. When disabled, the system terminates the connection, or ignores the request, depending on system configuration.

Renegotiation Period

The amount of time in seconds from the initial connection before the system renegotiates the SSL session. Indefinite will not renegotiate the SSL session and is the default setting.

Renegotiation Size

The amount of application data in megabytes from the initial connection before the system renegotiates the SSL session. Indefinite will not renegotiate the SSL session and is the default setting.

Secure Renegotiation

The Silverline profiles support the TLS Renegotiation Indication Extension, which allows the user to specify the method of secure renegotiation for SSL connections. The default value for the Client SSL profile is Require. The values for the Secure Renegotiation setting in the Client SSL profile are as follows:

Request: Specifies that the system requests secure renegotiation of SSL connections.

Require: Specifies that the system requires secure renegotiation of SSL connections. In this mode, the system permits initial SSL handshakes from clients, but terminates renegotiations from clients that do not support secure renegotiation.

Require Strict: Specifies that the system requires strict, secure renegotiation of SSL connections. In this mode, the system denies initial SSL handshakes from clients that do not support secure renegotiation.

Renegotiation Maximums (SSL Records / min)

The maximum number of SSL renegotiations allowed in any 1 minute period.

Renegotiation Record Delay

The number of SSL records allowed during the SSL renegotiation before the system terminates the connection.

Peer Timeout

The number of seconds the system waits before resetting the connection to peer systems that do not renegotiate SSL sessions.

Handshake Timeout

The Handshake Timeout setting specifies the number of seconds that the system tries to establish an SSL connection before terminating the operation.

Alert Timeout

The Alert Timeout setting specifies the duration that the system tries to close an SSL connection by transmitting an alert or initiating an unclean shutdown before resetting the connection. Select Indefinite to specify that the connection should not be reset after transmitting an alert or initiating an unclean shutdown.

Cache Size

The Cache Size setting specifies the maximum number of SSL sessions allowed in the SSL session cache. The default value for Cache Size is 262144 sessions. For information about the SSL Cache Size settings, refer to SOL6767: Overview of Silverline SSL session cache profile settings.  

SOC ACCESS ONLY

Cache Timeout

The Cache Timeout setting specifies the number of seconds that SSL sessions are allowed to remain in the SSL session cache before being removed. The default value for Cache Timeout is 3600 seconds. The range of values configurable for Cache Timeout is between 0 and 86400 seconds inclusive.  Note: Longer cache time-out periods can increase the risk of SSL session hijacking.  

SOC ACCESS ONLY

SSL Termination

Full termination (default) – Both the connection incoming to Silverline and to the origin servers is encrypted.

Partial termination – Only the incoming connection to Silverline is SSL encrypted.

Partial termination with fail open on SSL decryption failure – Will terminate incoming SSL to Silverline, but will fall back to unencrypted in the event of SSL decryption failure.

Session End

Unclean shutdown

The SSL protocol performs a clean shutdown of an active TLS/SSL connection by sending a close notify alert to the peer system. The Unclean Shutdown setting allows Silverline system to perform an unclean shutdown of SSL connections by closing the underlying TCP connection without sending the SSL close notify alerts. By default, this setting is enabled (selected) and is useful for certain browsers that handle SSL shutdown alerts differently. For example, some versions of Internet Explorer require SSL shutdown alerts from the server while other versions do not, and the SSL profile cannot always detect this requirement.

Important: If you disable (clear) the Unclean Shutdown setting, some browsers may display blank pages or errors when connecting to the virtual server.

Session Ticket

SSL profiles support the stateless TLS session resumption mechanism as described in Internet Engineering Task Force (RFC 5077). This mechanism allows Silverline to encapsulate the TLS session state as a ticket to the client and allows the client to subsequently resume a TLS session using the same ticket.

Options

When enabled, references the Options List setting, which industry standard SSL options and workarounds use for handling SSL processing.

ModSSL Methods

ModSSL Methods enables or disables ModSSL method emulation. Enable this option when OpenSSL methods are inadequate, for example, when you want to use SSL compression over TLSv1. By default, this setting is disabled (cleared).  

SOC ACCESS ONLY

SSL Signing Hash

Specifies the hash algorithm Silverline uses for server key exchanges with Elliptic Curve ciphers. Possible choices are SHA1, SHA256, SHA384, or Any. When you select Any, you authorize the system to choose any one of the hash algorithms. Note that in this case, Silverline chooses SHA1 whenever possible.  

SOC ACCESS ONLY

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request