What are Transparent SSL Profiles?

Question

• What are Transparent SSL Profiles?

Environment

• Silverline WAF
• Proxy / Proxies
• SSL Certificates
• SSL Profiles

Answer

• Silverline proxy can utilize a transparent SSL/TLS profile allowing us to
  • Inspect the decrypted traffic and perform WAF inspection
  • The client will then perform mutual authentication with the endpoint/destination
• In terms of client cert passing to the backend, the Silverline Proxy infrastructure no longer performs the handshake
  • The handshake and exchange of the SSL information occurs between the client and backend application/server
    • small latency penalty may occur
• Transparent SSL profiles allow Silverline to inspect an SSL session without terminating it within the Silverline service itself
• During an SSL handshake, Silverline will intervene in the event that a handshake fails due to a lack of ciphers that are compatible between client and server
• Transparent SSL Profiles will require a Certificate/Key Pair. See Q&A Why does the Silverline proxy infrastructure require a cert/key pair?
• Contact SOC / Contact Silverline Support if you want to enable Transparent SSL Profiles.

Limitations:

• Cipher Suite must match on frontend and backend SSL profiles, “ALL” is perfectly acceptable
• The SSL profile must have the same certificate and key as the actual server (as opposed to the usual SOC process of encouraging different certs/keys to the customer webservers)
• Only RSA is supported (no ECC / DSA)
• No Diffe-Hellman
• No Perfect Forward Secrecy

Related Content

• How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy
• Q&A: Is TLS mutual auth supported in Silverline?
• Q&A Why does the Silverline proxy infrastructure require a cert/key pair?
• Contact SOC / Contact Silverline Support