Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring SSL Initiation Profile

 

As a part of SSL initiation profile, you can specify actions related to certification revocations checks and chose an option to ignore certificate validation, root CA expiration dates, and other such issues based on your requirements. Commonly ignored errors include the inability to verify CA signature, incorrect certificate expiration dates, and so forth. We do not recommend using this option for authentication because configuring it results in websites not being authenticated at all.

Note

SSL initiation profile is supported in SRX340, SRX345, SRX550m, SRX1500, SRX4100, SRX4200, and vSRX2.0 platforms.

  1. Select Configure>Security>SSL Initiation.

    The SSL Proxy Profiles page appears. Table 239 explains the contents of this page.

  2. Click one:
    • Add icon (+)—Create a new SSL initiation client profile. Enter information as specified in Table 240.

    • Edit icon (/)—Edits the selected SSL proxy configuration. Enter information as specified in Table 240.

    • Delete(X)—Deletes the selected SSL proxy configuration.

    • Search icon—Enables you to search a SSL proxy in the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

  3. Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      Commit preferences—You can choose to just validate or validate and commit the changes.

      Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.

Table 239: SSL Initiation Profile Page

Field

Function

Name

Displays the name of the SSL initiation profile.

Flow Tracing

Displays whether flow trace is enabled or disabled for troubleshooting policy-related issues.

Protocol Version

Displays the accepted protocol SSL version.

Preferred Cipher

Displays the preferred cipher which the SSH server uses to perform encryption and decryption function.

Session Cache

Displays whether SSL session cache is enabled or not.

Server Authentication Failure

Displays the action that will be performed if errors are encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

Certificate Revocation

Displays the criterion for certificate revocation for the SSL initiation profile.

Table 240: Create-Edit SSL Initiation Profile - Configuration Details

Field FunctionAction
Policy Options

Name

Specifies the name of the SSL initiation profile.

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Flow Tracing

Specifies whether or not to enable flow tracing for this profile.

Select this option to enable flow trace for troubleshooting policy-related issues for this profile.

Protocol Version

Specifies the accepted protocol SSL version.

Select the protocol from the dropdown list: None, All, TSLv1, TSLv1.1, or TSLv1.2.

Preferred Cipher

Specify the cipher depending on their key strength. Ciphers are divided into the following categories.

  • Custom—Configure custom cipher suite and order of preference.

  • Medium—Use ciphers with key strength of 128 bits or greater.

  • Strong—Use ciphers with key strength of 168 bits or greater.

  • Weak—Use ciphers with key strength of 40 bits or greater.

Select a preferred cipher from the dropdown list.

Session Cache

Specifies whether SSL session cache is enabled or not.

Select this option to enable SSL session cache.

Certificate

Trusted CA

Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

Select the trusted certificate authority profile from the dropdown list.

Client Certificate

Specify a client certificate that is required to effectively authenticate the client.

  • None

  • SSLRP_Automation_Cert_2

  • SSLFP_Automation_Cert_1

  • SSLRP_Automation_Cert_1

  • SSLFP_Automation_Cert_2

  • SSL2

Select the appropriate client certificate from the dropdown list.

Actions

Server Authentication Failure

Specifies if you want to ignore server authentication completely.

In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

Select this option to ignore server authentication completely.

CRL Validation

Specifies certificate revocation actions, whether CRL validation is enabled or disabled.

Select if you want to disable CRL validation.

Action

Specifies the action if CRL information is not present.

  • None

  • Allow

  • Drop

Select the action if CRL info is not present from the options: Allow session, Drop session, or None.

Hold Instruction Code

Specifies if you want to hold the instruction code for this profile.

Select Ignore if you want to keep the instruction code on hold.