Question
- What are Transparent SSL Profiles?
Environment
- Silverline WAF
- Proxy / Proxies
- SSL Certificates
- SSL Profiles
Answer
- Silverline proxy can utilize a transparent SSL/TLS profile allowing us to
- Inspect the decrypted traffic and perform WAF inspection
- The client will then perform mutual authentication with the endpoint/destination
- In terms of client cert passing to the backend, the Silverline Proxy infrastructure no longer performs the handshake
- The handshake and exchange of the SSL information occurs between the client and backend application/server
- small latency penalty may occur
- The handshake and exchange of the SSL information occurs between the client and backend application/server
- Transparent SSL profiles allow Silverline to inspect an SSL session without terminating it within the Silverline service itself
- During an SSL handshake, Silverline will intervene in the event that a handshake fails due to a lack of ciphers that are compatible between client and server
- Transparent SSL Profiles will require a Certificate/Key Pair. See Q&A Why does the Silverline proxy infrastructure require a cert/key pair?
- Contact SOC / Contact Silverline Support if you want to enable Transparent SSL Profiles.
Limitations:
- Cipher Suite must match on frontend and backend SSL profiles, “ALL” is perfectly acceptable
- The SSL profile must have the same certificate and key as the actual server (as opposed to the usual SOC process of encouraging different certs/keys to the customer webservers)
- only one transparent ssl profile canbe used by proxy since cert has to be configured on server-ssl profile and we cannot attach multiple server-ssl profiles to the virtual server
- Only RSA is supported (no ECC / DSA)
- No Diffe-Hellman
- No Perfect Forward Secrecy