Configuring SSL Initiation Profile
As a part of SSL initiation profile, you can specify actions related to certification revocations checks and chose an option to ignore certificate validation, root CA expiration dates, and other such issues based on your requirements. Commonly ignored errors include the inability to verify CA signature, incorrect certificate expiration dates, and so forth. We do not recommend using this option for authentication because configuring it results in websites not being authenticated at all.
SSL initiation profile is supported in SRX340, SRX345, SRX550m, SRX1500, SRX4100, SRX4200, and vSRX2.0 platforms.
- Select Configure>Security>SSL Initiation.
The SSL Proxy Profiles page appears. Table 239 explains the contents of this page.
- Click one:
Add icon (+)—Create a new SSL initiation client profile. Enter information as specified in Table 240.
Edit icon (/)—Edits the selected SSL proxy configuration. Enter information as specified in Table 240.
Delete(X)—Deletes the selected SSL proxy configuration.
Search icon—Enables you to search a SSL proxy in the grid.
Show Hide Column Filter icon—Enables you to show or hide a column in the grid.
Click Commit icon at the top of the J-Web page. The following commit options are displayed.
Commit—Commits the configuration and returns to the main configuration page.
Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.
Discard—Discards the configuration changes you performed in the J-Web.
Preferences—There are two tab:
Commit preferences—You can choose to just validate or validate and commit the changes.
Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.
Table 239: SSL Initiation Profile Page
Displays the name of the SSL initiation profile.
Displays whether flow trace is enabled or disabled for troubleshooting policy-related issues.
Displays the accepted protocol SSL version.
Displays the preferred cipher which the SSH server uses to perform encryption and decryption function.
Displays whether SSL session cache is enabled or not.
Server Authentication Failure
Displays the action that will be performed if errors are encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).
Displays the criterion for certificate revocation for the SSL initiation profile.
Table 240: Create-Edit SSL Initiation Profile - Configuration Details
Specifies the name of the SSL initiation profile.
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.
Specifies whether or not to enable flow tracing for this profile.
Select this option to enable flow trace for troubleshooting policy-related issues for this profile.
Specifies the accepted protocol SSL version.
Select the protocol from the dropdown list: None, All, TSLv1, TSLv1.1, or TSLv1.2.
Specify the cipher depending on their key strength. Ciphers are divided into the following categories.
Select a preferred cipher from the dropdown list.
Specifies whether SSL session cache is enabled or not.
Select this option to enable SSL session cache.
Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.
Select the trusted certificate authority profile from the dropdown list.
Specify a client certificate that is required to effectively authenticate the client.
Select the appropriate client certificate from the dropdown list.
Server Authentication Failure
Specifies if you want to ignore server authentication completely.
In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).
We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.
Select this option to ignore server authentication completely.
Specifies certificate revocation actions, whether CRL validation is enabled or disabled.
Select if you want to disable CRL validation.
Specifies the action if CRL information is not present.
Select the action if CRL info is not present from the options: Allow session, Drop session, or None.
Hold Instruction Code
Specifies if you want to hold the instruction code for this profile.
Select Ignore if you want to keep the instruction code on hold.