Encrypt Traffic Using SSL Proxy and TLS
SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. Better visibility into application usage can be made available when the SSL forward proxy is enabled.
SSL Proxy Overview
Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private-public key exchange pairs for this level of security.
Server authentication guards against fraudulent transmissions by enabling a Web browser to validate the identity of a webserver. Confidentiality mechanisms ensure that communications are private. SSL enforces confidentiality by encrypting data to prevent unauthorized users from eavesdropping on electronic communications. Finally, message integrity ensures that the contents of a communication have not been tampered with.
SSL proxy is transparent; that is, it performs SSL encryption and decryption between the client and the server.
Sharing server keys is sometimes not feasible or might not be available in certain circumstances, in which case the SSL traffic cannot be decrypted. SSL proxy addresses this problem by ensuring that it has the keys to encrypt and decrypt the payload:
For the server, SSL proxy acts as a client—Because SSL proxy generates the shared pre-master key, it determines the keys to encrypt and decrypt.
For the client, SSL proxy acts as a server—SSL proxy first authenticates the original server and replaces the public key in the original server certificate with a key that is known to it. It then generates a new certificate by replacing the original issuer of the certificate with its own identity and signs this new certificate with its own public key (provided as a part of the proxy profile configuration). When the client accepts such a certificate, it sends a shared pre-master key encrypted with the public key on the certificate. Because SSL proxy replaced the original key with its own key, it is able to receive the shared pre-master key. Decryption and encryption take place in each direction (client and server), and the keys are different for both encryption and decryption.
Figure 1 shows how SSL proxy works on an encrypted payload. When Advanced Security services such as application firewall (AppFW), Intrusion Detection and Prevention (IDP),application tracking (AppTrack), UTM, and SkyATP is configured, the SSL proxy acts as an SSL server by terminating the SSL session from the client and establishing a new SSL session to the server. The SRX Series device decrypts and then reencrypts all SSL proxy traffic. SSL proxy uses the following:
SSL-T-SSL terminator on the client side.
SSL-I-SSL initiator on the server side.
IDP, AppFW, AppTracking, advanced policy-based routing (APBR), UTM, SkyATP, and ICAP service redirect can use the decrypted content from SSL proxy. If none of these services are configured, then SSL proxy services are bypassed even if an SSL proxy profile is attached to a firewall policy.
Benefits of SSL Proxy
Decrypts SSL traffic to obtain granular application information and enable you to apply advanced security services protection and detect threats.
Enforces the use of strong protocols and ciphers by the client and the server.
Provides visibility and protection against threats embedded in SSL encrypted traffic.
Controls what needs to be decrypted by using Selective SSL Proxy.
Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) is a feature of specific key agreement protocols that provides assurances your session keys will not be compromised even if the private key of the server is compromised. By generating a unique session key for every session flow a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. For PFS to function, the key used to protect transmission of data must not be used to derive any additional keys, and if the key used to protect transmission of data was derived from some other keying material, that material must not be used to derive any further keys.
ECDHE stands for Elliptic Curve Diffie Hellman Ephemeral and is a key exchange mechanism based on elliptic curve cryptography. The ECDHE cipher suits are used to enable the PFS on SSL proxy.
ECDHE cipher suits provide the same level of security as the RSA with smaller keys. SSL proxy is targeted to support only ECDHE ciphers suites because they are less expensive computationally than DHE ciphers.
Supported Key Size
Table 1 provides the details of RSA keys supported on various SRX Series devices.
Table 1: Maximum Key Sizes Supported on SRX Series Devices
SRX Series Devices | Supported RSA Key Size |
|---|---|
SRX340, SRX345, SRX550, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800 | 512 bits, 1024 bits, 2048 bits, 4096 bits |
SRX300, SRX320 | 512 bits, 1024 bits, 2048 bits |
Starting with Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, server certificates of key size 4096 bits are supported. Prior to Junos OS Release 15.1X49-D30, server certificates with key size greater than 2048 bits were not supported because of cryptography hardware limitations.
Starting in Junos OS Release 18.1R1, SSL proxy support is available on SRX300 and SRX320 devices. On SRX300 and SRX320 devices, server certificates with key size 4096 bits are not supported.
Supported Ciphers in Proxy Mode
An SSL cipher comprises encryption ciphers, an authentication method, and compression. Table 2 displays a list of supported ciphers. NULL ciphers are excluded.
Table 2: Supported SSL Cipher List
| SSL Cipher | Key Exchange Algorithm | Data Encryption | Message Integrity | Preferred Ciphers Category | Earliest Supported Release |
|---|---|---|---|---|---|
ECDHE-ECDSA-AES-256-GCM- SHA384 | ECDHE/DSA key exchange | 256-bit AES/GCM | SHA384 hash | Strong | Junos OS Release 18.3R1 |
ECDHE-ECDSA-AES-128-GCM-SHA256 | ECDHE/DSA key exchange | 128-bit AES/GCM | SHA256 hash | Strong | Junos OS Release 18.3R1 |
ECDHE-ECDSA-AES-256-CBC- SHA384 | ECDHE/DSA key exchange | 256-bit AES/CBC | SHA384 hash | Strong | Junos OS Release 18.3R1 |
ECDHE-ECDSA-AES-128-CBC-SHA256 | ECDHE/DSA key exchange | 128-bit AES/CBC | SHA256 hash | Strong | Junos OS Release 18.3R1 |
ECDHE-ECDSA-AES-256-CBC-SHA | ECDHE/DSA key exchange | 256-bit AES/CBC | SHA hash | Strong | Junos OS Release 18.3R1 |
ECDHE-ECDSA-AES-128-CBC-SHA | ECDHE/DSA key exchange | 128-bit AES/CBC | SHA hash | Strong | Junos OS Release 18.3R1 |
ECDHE-ECDSA-3DES-EDE-CBC-SHA | ECDHE/DSA key exchange | 3DES EDE/CBC | SHA hash | Strong | Junos OS Release 18.3R1 |
ECDHE-RSA-AES256-GCM-SHA384 | ECDHE/RSA key exchange | 256-bit AES/GCM | SHA384 hash | Strong | Junos OS Release 15.1X49-D10 |
ECDHE-RSA-AES256-CBC-SHA384 | ECDHE/RSA key exchange | 256-bit AES/CBC | SHA384 hash | Strong | Junos OS Release 15.1X49-D10 |
ECDHE-RSA-AES256-CBC-SHA | ECDHE/RSA key exchange | 256-bit AES/CBC | SHA hash | Strong | Junos OS Release 15.1X49-D10 |
ECDHE-RSA-DES-CBC3-SHA | ECDHE/RSA key exchange | DES CBC | SHA hash | Medium | Junos OS Release 15.1X49-D10 |
ECDHE-RSA-AES128-GCM-SHA256 | ECDHE/RSA key exchange | 128-bit AES/GCM | SHA256 hash | Strong | Junos OS Release 15.1X49-D10 |
ECDHE-RSA-AES128-CBC-SHA256 | ECDHE/RSA key exchange | 128-bit AES/CBC | SHA256 hash | Strong | Junos OS Release 15.1X49-D10 |
ECDHE-RSA-AES128-CBC-SHA | ECDHE/RSA key exchange | 128-bit AES/CBC | SHA hash | Strong | Junos OS Release 15.1X49-D10 |
RSA-AES256-GCM-SHA384 | ECDHE/RSA key exchange | 256-bit AES/GCM | SHA384 hash | Strong | Junos OS Release 15.1X49-D10 |
RSA-AES256-CBC-SHA256 | ECDHE/RSA key exchange | 256-bit AES/CBC | SHA256 hash | Strong | Junos OS Release 15.1X49-D10 |
RSA-AES128-GCM-SHA256 | ECDHE/RSA key exchange | 128-bit AES/GCM | SHA256 hash | Strong | Junos OS Release 15.1X49-D10 |
RSA-AES128-CBC-SHA256 | ECDHE/RSA key exchange | 128-bit AES/CBC | SHA256 hash | Medium | Junos OS Release 15.1X49-D10 |
RSA-RC4-128-MD5 | RSA key exchange | 128-bit RC4 | Message Digest 5 (MD5) hash | Medium | Junos OS Release 12.1 |
RSA-RC4-128-SHA | RSA key exchange | 128-bit RC4 | Secure Hash Algorithm (SHA) hash | Medium | Junos OS Release 12.1 |
RSA-DES-CBC-SHA | RSA key exchange | DES CBC | SHA hash | Week | Junos OS Release 12.1 |
RSA-3DES-EDE-CBC-SHA | RSA key exchange | 3DES EDE/CBC | SHA hash | Week | Junos OS Release 12.1 |
RSA-AES128-CBC-SHA | RSA key exchange | 128-bit AES/CBC | SHA hash | Week | Junos OS Release 12.1 |
RSA-AES256-CBC-SHA | RSA key exchange | 256-bit AES/CBC | SHA hash | Week | Junos OS Release 12.1 |
RSA-EXPORT-RC4-40-MD5 | RSA-export | 40-bit RC4 | MD5 hash | Week | Junos OS Release 12.1 |
RSA-EXPORT-DES40-CBC-SHA | RSA-export | 40-bit DES/CBC | SHA hash | Week | Junos OS Release 12.1 |
RSA-EXPORT-1024-DES-CBC-SHA | RSA 1024 bit export | DES/CBC | SHA hash | Week | Junos OS Release 12.1 |
RSA-EXPORT-1024-RC4-56-MD5 | RSA 1024 bit export | 56-bit RC4 | MD5 hash | Week | Junos OS Release 12.1 |
RSA-EXPORT-1024-RC4-56-SHA | RSA 1024 bit export | 56-bit RC4 | SHA hash | Week | Junos OS Release 12.1 |
Cipher suites that have “export” in the title are intended for use outside of the United States and might have encryption algorithms with limited key sizes.
Export ciphers are not enabled by default. You need to either configure the export ciphers to enable or install a domestic package.
Supported SSL ciphers for HTTPS firewall authentication are RSA-3DES-EDE-CBC-SHA , RSA-AES-128-CBC-SHA, and RSA-AES-256-CBC-SHA.
ECDSA Cipher Suite Support for SSL Proxy
Starting in Junos OS Release 18.3R1, ECDSA cipher suites are supported for SSL proxy. ECDSA is a version of the Digital Signature Algorithm (DSA) and is based on Elliptic-curve cryptography (ECC).
To support ECDSA ciphers, the device must include the certificates containing ECC-capable public keys. You can include the ECC certificate along with an existing RSA certificate in an SSL proxy profile. Having both ECC and RSA certificate allows you to perform ECC-based key exchange or RSA-based key exchange depending on the client and the server device’s compatibility.
For example:
During an SSL handshake, ECDSA cipher can be used only when the server supports the ECC certificate. Otherwise, SSL proxy is done using RSA-based key exchange. If the SRX Series device has only ECC certificate (no RSA certificate), and the server supports only the RSA-based authentication, then the session is dropped with an error message.
You can include the ECDSA certificate option for the root CA (SSL forward proxy) and for the server certificate (SSL reverse proxy). For the server certificate, there is no restriction on the number of ECDSA or RSA certificate inclusion; however for the root CA, you can include one RSA certificate and one ECDSA certificate each.
All ECDSA-based cipher suites provide Perfect Forward Secrecy (PFS) support.
SSL forward proxy supports the Elliptic Curve Cryptography (ECC) certificate only with the Elliptic Prime Curve 256 bit (P-256).
A trusted CA certificate can either be an RSA-based certificate and an ECDSA-based certificate. All features supported on an RSA-based certificate such as certificate cache, certificate revocation list (CRL), certificate chain are supported on an ECDSA certificate.
Configuring Ciphers for SSL Proxy
You can configure the following ciphers for an SSL proxy profile:
Preferred Ciphers–Preferred ciphers allow you to define an SSL cipher that can be used with acceptable key strength. Ciphers are divided in three categories depending on their key strength: strong, medium, or weak.
Custom Ciphers–Custom ciphers allow you to define your own cipher list. If you do not want to use one of the three categories, you can select ciphers from each of the categories to form a custom cipher set. To configure custom ciphers, you must set preferred-ciphers to custom.
The following example shows how to create a custom cipher. In this example, you set preferred-cipher to custom and add the cipher list (rsa-with-3des-ede-cbc-sha and rsa-with-aes-256-cbc-sha):
set services ssl proxy profile profile-name preferred-ciphers customset services ssl proxy profile profile-name custom-ciphers rsa-with-3des-ede-cbc-shaset services ssl proxy profile profile-name custom-ciphers rsa-with-aes-256-cbc-sha
The following procedure shows how to configure a custom cipher for ECDSA ciphers.
To configure and use ECDSA ciphers, you must include the certificates containing ECC-capable public keys on the device.
Configure ECDSA ciphers:
- Load the ECDSA certificate (rootCA.pem) and the key (rootCA.key)
into PKI, and use the ECDSA certificate as a server certificate for
the SSL forward proxy. request security pki local-certificate load filename rootCA.pem key rootCA.key certificate-id rootCAEcds
You can generate a root CA certificate or you can import your own trusted CA certificate and private and public keys into the SRX Series device. For details on root CA certificates, see Configuring a Root CA Certificate
- Create an SSL proxy profile. You must configure either
the Root CA or the server certificate in an SSL proxy profile.set services ssl proxy profile profile-name server-certificate rootCAEcds
Or
set services ssl proxy profile profile-name root-ca rootCAEcds - Enable preferred-cipher in the SSL proxy as a custom-cipher.set services ssl proxy profile profile-name preferred-ciphers custom
- Attach a custom cipher (example: ecdhe-ecdsa-with-aes-256-cbc-sha384
and ecdhe-ecdsa-with-aes-128-cbc-sha256).set services ssl proxy profile profile-name custom-ciphers ecdhe-ecdsa-with-aes-256-cbc-sha384set services ssl proxy profile profile-name custom-ciphers ecdhe-ecdsa-with-aes-128-cbc-sha256
After performing the steps mentioned above, proceed with configuring the SSL proxy profile and applying the SSL proxy profile to a security policy.
Supported SSL Protocols
The following SSL protocols are supported on SRX Series devices for SSL initiation and termination service:
TLS version 1.0—Provides authentication and secure communications between communicating applications.
TLS version 1.1—This enhanced version of TLS provides protection against cipher block chaining (CBC) attacks.
TLS version 1.2 — This enhanced version of TLS provides improved flexibility for negotiation of cryptographic algorithms.
Starting with Junos OS Release 15.1X49-D30 and Junos OS Release 17.3R1, TLS version 1.1 and TLS version 1.2 protocols are supported on SRX Series devices along with TLS version 1.0.
Starting with Junos OS Release 15.1X49-D20 and Junos OS Release 17.3R1, the SSL protocol 3.0 (SSLv3) support is deprecated.
Server Authentication
Implicit trust between the client and the device (because the client accepts the certificate generated by the device) is an important aspect of SSL proxy. It is extremely important that server authentication is not compromised; however, in reality, self-signed certificates and certificates with anomalies are in abundance. Anomalies can include expired certificates, instances of common name not matching a domain name, and so forth. Server authentication is governed by setting the ignore-server-auth-failure option in the SSL proxy.
By default, the ignore-server-auth-failure option is not defined as an action in the SSL proxy profile, and the following occurs:
If authentication succeeds, a new certificate is generated by replacing the keys and changing the issuer name to the issuer name that is configured in the root CA certificate in the proxy profile.
If authentication fails, the connection is dropped.
If the ignore-server-auth-failure option is defined as an action in the SSL proxy profile, the following occurs:
If the certificate is self-signed, a new certificate is generated by replacing the keys only. The issuer name is not changed. This ensures that the client browser displays a warning that the certificate is not valid.
If the certificate has expired or if the common name does not match the domain name, a new certificate is generated by replacing the keys and changing the issuer name to SSL-PROXY: DUMMY_CERT:GENERATED DUE TO SRVR AUTH FAILURE. This ensures that the client browser displays a warning that the certificate is not valid.
Trusted CA List
SSL proxy ensures secure transmission of data between a client and a server. Before establishing a secure connection, SSL proxy checks CA certificates to verify signatures on server certificates. For this reason, a reasonable list of trusted CA certificates is required to effectively authenticate servers.
Junos OS provides the following options for trusted CA certificates:
Loading the default trusted CA list—Junos OS provides a default list of certificates that contains well-known trusted CA certificates similar to the default certificates used by most common browsers. Without these default certificates, browsers would not be able to validate the identity of most websites and would mark them as untrusted sites. Alternatively, you can download trusted CAs from a browser to an SRX Series device. See Knowledge Base Article KB23144.
The Junos OS package contains the default CA certificates as a Privacy-Enhanced Mail (PEM) file (for example, trusted_CA.pem). After you download the package, you can easily load the default certificates on your system using the request security pki ca-certificate ca-profile-group load ca-group-name ca-default filename default command. You can use the default trusted CA bundle file embedded into Junos OS or you can download the latest CA bundle list from another 3rd party such as Mozilla (https://curl.haxx.se/docs/caextract.html). The list of trusted Certificate Authority can change over time so we recommend you to use the latest CA bundle.
We recommend you load the default trusted CA list if you want to trust the same CA certificates as common browsers and avoid importing CA certificates manually.
Note By default, Junos OS does not trust any CA certificate.
Importing the trusted CA list manually—You can import your own trusted CA certificates using the Public Key Infrastructure (PKI). The PKI helps verify and authenticate the validity of the trusted CA certificates. You create CA profile groups that include trusted CA certificates, then import the group on your device for server authentication.
Ignoring server authentication—You can use the ignore-server-auth-failure option to ignore server authentication completely. In this case, SSL proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).
We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions. See Enabling Debugging and Tracing for SSL Proxy.
Root CA
In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.
Client Authentication
Currently, client authentication is not supported in SSL proxy. If a server requests client authentication, a warning is issued that a certificate is not available. The warning lets the server determine whether to continue or to exit.
Whitelists
Because SSL encryption and decryption might consume memory resources on the SRX Series device, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under whitelists.
Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the whitelisting feature is extended to include URL categories supported by UTM in the whitelist configuration of SSL forward proxy. In this implementation, the Server Name Indication (SNI) field is extracted by the UTM module from client hello messages to determine the URL category. Each URL category has a unique ID. The list of URL categories under whitelist is parsed and the corresponding category IDs are pushed to the Packet Forwarding Engine for each SSL forward proxy profile. The SSL forward proxy then determines through APIs whether to accept, and proxy, or to ignore the session.
Starting with Junos OS Release 17.4R1, the whitelisting feature is extended to support custom URL categories supported by UTM in the whitelist configuration of SSL forward proxy.
Dynamic Resolution of Domain Names
The IP addresses associated with domain names are dynamic and can change at any time. Whenever a domain IP address changes, it is propagated to the SSL proxy configuration (similar to what is done in the firewall policy configuration).
Session Resumption
An SSL session refers to the set of parameters and encryption keys created by performing a full handshake. A connection is the conversation or active data transfer that occurs within the session. The computational overhead of a complete SSL handshake and generation of master keys is considerable. In short-lived sessions, the time taken for the SSL handshake can be more than the time for data transfer.
To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server. The cached information is identified by a session ID. In subsequent connections both parties agree to use the session ID to retrieve the information rather than create a new pre-master secret key. Session resumption shortens the handshake process and accelerates SSL transactions.
Session Renegotiation
After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0, TLS v1.1, and TLS v1.2) renegotiation. When session resumption is enabled, session renegotiation is useful in the following situations:
Cipher keys need to be refreshed after a prolonged SSL session.
Stronger ciphers need to be applied for a more secure connection.
A change in an SSL proxy profile that modifies a certificate, cipher strength, or trusted CA list flushes cache entries when the modified policy is committed. When a session is resumed, the SSL parameters associated with its session ID are retrieved from the cache. If the SSL proxy profile is not altered, cache entries corresponding to that profile are not flushed and the session continues. If the cache has been flushed, however, a full handshake must be performed to establish the new SSL parameters. (There is no impact to non-SSL sessions.)
SSL Proxy Logs
When logging is enabled in an SSL proxy profile, SSL proxy can generate the messages shown in Table 3.
Table 3: SSL Proxy Logs
| Syslog Type | Description |
|---|---|
SSL_PROXY_SSL_SESSION_DROP | Logs generated when a session is dropped by SSL proxy. |
SSL_PROXY_SSL_SESSION_ALLOW | Logs generated when a session is processed by SSL proxy even after encountering some minor errors. |
SSL_PROXY_SESSION_IGNORE | Logs generated if non-SSL sessions are initially mistaken as SSL sessions. |
SSL_PROXY_SESSION_WHITELIST | Logs generated when a session is whitelisted. |
SSL_PROXY_ERROR | Logs used for reporting errors. |
SSL_PROXY_WARNING | Logs used for reporting warnings. |
SSL_PROXY_INFO | Logs used for reporting general information. |
All logs contain similar information as shown in the following example (actual order of appearance):
logical-system-name, session-id, source-ip-address, source-port, destination-ip-address,destination-port, nat-source-ip-address, nat-source-port, nat-destination-ip-address, nat-destination-port, proxy profile name, source-zone-name, source-interface-name, destination-zone-name,destination-interface-name, message
The message field contains the reason for the log generation. One of three prefixes shown in Table 4 identifies the source of the message. Other fields are descriptively labeled.
Table 4: SSL Proxy Log Prefixes
| Prefix | Description |
|---|---|
system | Logs generated due to errors related to the device or an action taken as part of the SSL proxy profile. Most logs fall into this category. |
openssl error | Logs generated during the handshaking process if an error is detected by the openssl library. |
certificate error | Logs generated during the handshaking process if an error is detected in the certificate (x509 related errors). |
Sample logs:
Jun 1 05:11:13 4.0.0.254 junos-ssl-proxy: SSL_PROXY_SSL_SESSION_DROP: lsys:root 23 < 203.0.113.1/35090->192.0.2.1/443> NAT:< 203.0.113.1/35090->192.0.2.1/443> ssl-inspect-profile <untrust:ge-0/0/0.0->trust:ge-0/0/1.0> message:certificate error: self signed certificate
These logs capture sessions that are dropped by SSL proxy, not sessions that are marked by other modules that also use SSL proxy services.
For SSL_PROXY_SESSION_WHITELIST messages, an additional host field is included after the session-id and contains the IP address of the server or domain that has been whitelisted.
Jun 1 05:25:36 4.0.0.254 junos-ssl-proxy: SSL_PROXY_SESSION_WHITELIST: lsys:root 24 host:192.0.2.1/443<203.0.113.1/35090->192.0.2.1/443> NAT:< 203.0.113.1/35090->192.0.2.1/443 > ssl-inspect-profile <untrust:ge-0/0/0.0->trust:ge-0/0/1.0> message:system: session whitelisted
Leveraging Dynamic Application Identification
SSL proxy uses application identification services to dynamically detect if a particular session is SSL encrypted. SSL proxies are allowed only if a session is SSL encrypted. The following rules apply for a session:
Session is marked Encrypted=Yes in the application system cache. If the session is marked Encrypted=Yes, it indicates that the final match from application identification for that session is SSL encrypted, and SSL proxy transitions to a state where proxy functionality can be initiated.
Session is marked Encrypted=No in the application system cache. If a non-SSL entry is found in the application system cache, it indicates that the final match from application identification for that session is non-SSL and SSL proxy ignores the session.
An entry is not found in the application system cache. This can happen on the first session, or when the application system cache has been cleaned or has expired. In such a scenario, SSL proxy cannot wait for the final match (requires traffic in both directions). In SSL proxy, traffic in reverse direction happens only if SSL proxy has initiated an SSL handshake. Initially, for such a scenario SSL proxy tries to leverage prematch or aggressive match results from application identification , and if the results indicate SSL, SSL proxy will go ahead with the handshake.
Application identification fails due to resource constraints and other errors. Whenever the result from application identification is not available, SSL proxy will assume static port binding and will try to initiate SSL handshake on the session. This will succeed for actual SSL sessions, but it will result in dropped sessions for non SSL sessions.
Logical Systems Support
It is possible to enable SSL proxy on firewall policies that are configured using logical systems; however, note the following limitations:
The “services” category is currently not supported in logical systems configuration. Because SSL proxy is under “services,” you cannot configure SSL proxy profiles on a per-logical-system basis.
Because proxy profiles configured at a global level (within “services ssl proxy”) are visible across logical system configurations, it is possible to configure proxy profiles at a global level and then attach them to the firewall policies of one or more logical systems.
Limitations
On SRX Series devices, for a particular session, the SSL proxy is only enabled if a relevant feature related to SSL traffic is also enabled. Features that are related to SSL traffic are IDP, application identification, application firewall, application tracking, advanced policy-based routing, UTM, SkyATP, and ICAP redirect service. If none of these features are active on a session, the SSL proxy bypasses the session and logs are not generated in this scenario.
On all SRX Series devices, the current SSL proxy implementation has the following connectivity limitations:
The SSLv3.0 protocol support is deprecated.
The SSLv2 protocol is not supported. SSL sessions using SSLv2 are dropped.
Only X.509v3 certificate is supported.
Client authentication of SSL handshake is not supported.
SSL sessions where client certificate authentication is mandatory are dropped.
SSL sessions where renegotiation is requested are dropped.
See also
Configuring SSL Forward Proxy
SSL proxy works transparently between the client and the server. All requests from a client first go to the proxy server; the proxy server evaluates the request, and if the request is valid, forwards the request to the outbound side. Similarly, inbound requests are also evaluated by the proxy server. Both client and server interpret that they are communicating with each other; however, it is the SSL proxy that functions between the two. For release-specific support, see Feature Explorer
SSL proxies provide encryption and decryption by residing between the server and the client. Because SSL proxies are hidden from both the server and the client, secret keys are shared between the two to decrypt the SSL traffic. Proxies are known as forward proxies because proxy servers are used to hide any detailed information from the servers.
Integrity, confidentiality, and authenticity of traffic are validated through PKI, which includes digital certificates issued by the CA, certificate validity and expiration dates, details about the certificate owner and issuer, and security policies.
SSL Proxy Configuration Overview
Figure 2 displays an overview of how SSL proxy is configured. It includes some required steps, such as configuring the root CA certificate, loading a CA profile group, and applying an SSL proxy profile to a security policy, and some optional steps, such as creating whitelists and SSL proxy logging.
Configuring a Root CA Certificate
A CA can issue multiple certificates in the form of a tree structure. A root certificate is the topmost certificate of the tree, the private key of which is used to sign other certificates. All certificates immediately below the root certificate inherit the signature or trustworthiness of the root certificate. This is somewhat like the notarizing of an identity.
You can configure a root CA certificate by first obtaining a root CA certificate (by either generating a self-signed one or importing one) and then applying it to an SSL proxy profile. There are two ways you can obtain a root CA certificate—by using the Junos OS CLI on an SRX Series device or by using OpenSSL on a UNIX device.
To generate a root CA certificate using the Junos OS CLI, follow these steps on an SRX Series device:
- From operational mode, generate a PKI public/private key
pair for a local digital certificate.user@host>request security pki generate-key-pair certificate-id certificate-id size size type type
- From operational mode, define a self-signed certificate.
Specify certificate details such as the certificate identifier (generated
in the previous step), a fully qualified domain name (FQDN) for the
certificate, and an e-mail address of the entity owning the certificate.
You can also specify other information such as the common name and
the organization involved. By configuring the add-ca-constraint option, you make sure that the certificate can be used for signing
other certificates.user@host>request security pki local-certificate generate-self-signed certificate-id certificate-id domain-name domain-name subject subject email email-id add-ca-constraint
- From configuration mode, apply the loaded certificate
as root-ca in the SSL proxy profile.[edit]user@host# set services ssl proxy profile profile-name root-ca certificate-id
- Import the root CA as a trusted CA into client browsers. This is required for the client browsers to trust the certificates signed by the SRX Series device. See Importing a Root CA Certificate into a Browser.
To generate a root CA certificate using OpenSSL, follow these steps on a UNIX device:
- Create folders keys and certs.mkdir /etc/pki/tls/keysmkdir /etc/pki/tls/certs
- Change to the openssl directory.cd /etc/pki/tls
- Create a CA certificate key. The following command creates
an RSA key using the 3DES encryption named ca.key that
is 2048 in length. You also need to enter a password that is used
to encrypt the private key. This is critical to security if the key
is lost because it will still be encrypted.% openssl genrsa -des3 -out keys/ssl-proxy-ca.key 2048
- Create a CA certificate based on the CA private key (created
in the previous step). The expiration date for this certificate is
3 years or 1095 days. However, you can set it to a different value.
When creating the certificate, you need to enter the password and
the certificate information that includes distinguished name (DN),
country name, and so forth. % openssl req -new -x509 -days 1095 –key keys/ssl-proxy-ca.key -out certs/ssl-inspect-ca.cer
- Import the CA private and public keys into the SRX Series
device. Copy the ca.key and ca.cer keys to the
/var/tmpdirectory on the SRX Series device. You can copy using SCP, or open the files and copy them into “vi” on the SRX Series device to create new files.user@host> request security pki local-certificate load certificate-id ssl-inspect-ca key /var/tmp/ssl-inspect-ca.key filename /var/tmp/ssl-inspect-ca.cer passphrase password - From configuration mode, apply the loaded certificate
as root-ca in the SSL proxy profile.[edit]user@host# set services ssl proxy profile ssl-inspect-profile root-ca ssl-inspect-ca
- Import the root CA as a trusted CA into client browsers. This is required for the client browsers to trust the certificates signed by the SRX Series device. See Importing a Root CA Certificate into a Browser.
Configuring a CA Profile Group
The CA profile defines the certificate information to be used for authentication. It includes the public key that SSL proxy uses when generating a new certificate. Junos OS allows you to create a group of CA profiles and load multiple certificates in one action, view information about all certificates in a group, and delete unwanted CA groups.
You can load a group of CA profiles by obtaining a list of trusted CA certificates, defining a CA group, and attaching the CA group to the SSL proxy profile.
- Obtain a list of trusted CA certificates by following
one of these methods:
Junos OS provides a default list of trusted CA certificates that you can load on your system using the default command option. The Junos OS package contains the default CA certificates as a PEM file (for example,
trusted_CA.pem). After you download the Junos OS package, the default certificates are available on your system.From operational mode, load the default trusted CA certificates (the group name identifies the CA profile group):
user@host> request security pki ca-certificate ca-profile-group load ca-group-name group-name filename defaultAlternatively, you can define your own list of trusted CA certificates and import them on your system. You get the list of trusted CAs in a single PEM file (for example
IE-all.pem) and save the PEM file in a specific location (for example,/var/tmp). See Knowledge Base Article KB23144.From operational mode, load the trusted list to the device (the group name identifies the CA profile group):
user@host> request security pki ca-certificate ca-profile-group load ca-group-name group-name filename /var/tmp/IE-all.pem
- From configuration mode, attach the trusted CA or trusted
CA group to the SSL proxy profile. You can attach all trusted CA or
one trusted CA at a time:
To attach one CA profile group (the group name identifies the CA profile group):
[edit]user@host# set services ssl proxy profile profile-name trusted-ca ca-nameTo attach all CA profile groups:
[edit]user@host# set services ssl proxy profile profile-name trusted-ca all
You can easily display information about all certificates in a CA profile group:
You can delete a CA profile group. Remember that deleting a CA profile group deletes all certificates that belong to that group:
Configuring a Trusted CA Profile
Typically, you import a list of trusted CA certificates by creating a group of CA profiles. However, you can also configure a single CA profile (containing one or multiple certificates) and import it using PKI commands. This section shows you how to import a trusted CA certificate from your browser’s certificate store into your SRX Series device. The certificate that is configured under the trusted CA is loaded using the PKI commands and is used for validating the server certificate chain.
- From configuration mode, configure the CA profile used
for loading the certificate.[edit]user@host# set security pki ca-profile profile-name ca-identity ca-identity
- From operational mode, load the certificate using PKI
commands.user@host> request security pki ca-certificate load ca-profile profile-name filename filename
- From configuration mode, disable the revocation check
(if required).[edit]user@host# set security pki ca-profile profile-name ca-identity ca-identity revocation-check disable
- From configuration mode, configure the loaded certificate
as a trusted CA in the SSL proxy profile. [edit]user@host# set services ssl proxy profile ssl-proxy-profile-name trusted-ca ca-profile-name
Note More than one trusted CA can be configured for a profile.
- (Optional) If you have multiple trusted CA certificates,
you do not have to specify each trusted CA separately. You can load all the trusted CA certificates using the following command
from configuration mode.[edit]user@host# set services ssl proxy profile ssl-proxy-profile-name trusted-ca all
Note Alternatively, you can import a set of trusted CAs from your browser into the SRX Series device. See Knowledge Base article KB23144.
Importing a Root CA Certificate into a Browser
In order to have your browser or system automatically trust all certificates signed by the root CA configured in the SSL proxy profile, you must instruct your platform or browser to trust the CA root certificate.
To import a root CA certificate:
- Generate a PEM format file for the configured root CA.request security pki local-certificate export certificate-id root-ca type pem filename path/file-name.pem
- Import a root CA certificate into a browser.
From Internet Explorer (version 8.0):
- From the Tools menu, select Internet Options.
- On the Content tab, click Certificates.
- Select the Trusted Root Certification Authorities tab and click Import.
- In the Certificate Import Wizard, navigate to the required root CA certificate and select it.
From Firefox (version 39.0):
- From the Tools menu, select Options.
- From the Advanced menu, select the Certificates tab and click View Certificate.
- In the Certificate Manager window, select the Authorities tab and click Import.
- Navigate to the required root CA certificate and select it.
From Google Chrome (45.0):
- From the Settings menu, select Show Advanced Settings.
- From the Advanced menu, select the Certificates tab and click View Certificate.
- Under HTTPS/SSL, click Manage Certificates.
- In the Certificate window, select Trusted Root Certification Authorities and click Import.
- In the Certificate Import Wizard, navigate to the required root CA certificate and select it.
Applying an SSL Proxy Profile to a Security Policy
SSL proxy is enabled as an application service within a security policy. In a security policy, you specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy CA profile to be applied to the traffic. Figure 3 displays a graphical view of SSL proxy profile and security policy configuration.
To enable SSL proxy in a security policy:
- Create a security policy and specify the match criteria
for the policy. As match criteria, specify the traffic for which you
want to enable SSL proxy. [edit]user@host# set security policies from-zone trust to-zone untrust policy policy-name match source-address source-addressuser@host# set security policies from-zone trust to-zone untrust policy policy-name match destination-address destination-addressuser@host# set security policies from-zone trust to-zone untrust policy policy-name match application application
- Apply the SSL proxy profile to the security policy.[edit]user@host# set security policies from-zone trust to-zone untrust policy policy-name then permit application-services ssl-proxy profile-name profile-name
Creating a Whitelist of Exempted Destinations
Because SSL encryption and decryption might consume memory resources on the SRX Series device, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under whitelists.
Whitelists include addresses that you want to exempt from undergoing SSL proxy processing. For example, if you want to exempt all sessions to www.mycompany.com, then you would include it in the whitelist. To configure the whiltelist, you specify the domain that you want to exempt in an address book and then configure the address in the SSL proxy profile.
- Configure the domain in the address book.[edit]user@host# set security address-book global address address dns-name www.mycompany.com
- Specify the global address book address in the SSL proxy
profile.[edit]user@host# set services ssl proxy profile profile-name whitelist address
Whitelist addresses and address sets are created under the global address book. The following type of addresses (from the global address book) are supported:
IPv4 addresses (plain text). For example:
[edit]user@host# set security address-book global address address-name ipv4-prefixIPv4 address range. For example:
[edit]user@host# set security address-book global address address-name range-address range-low to range-highIPv4 wildcard. For example:
[edit]user@host# set security address-book global address address-name wildcard-address addr/netmaskNoncontiguous netmasks are not supported. For example:
203.0.113.9/255.255.0.0 is supported.
203.0.113.9/255.255.0.255 is NOT supported.
IPv6 address (plain text). For example:
[edit]user@host# set security address-book global address address-name ipv6-prefixDNS name. For example:
[edit]user@host# set security address-book global address address-name dns-name domain-nameTranslated IP addresses. Sessions are whitelisted based on the actual IP address and not on the translated IP address. Because of this, in the whitelist configuration of the SSL proxy profile, the actual IP address should be provided and not the translated IP address.
For example, consider a destination NAT rule that translates destination IP address 192.0.2.10/24 to 198.51.100.8/24 using the following commands:
[edit]user@host# set security nat destination pool d1 address 198.51.100.8/24user@host# set security nat destination rule-set dst-nat rule r1 match destination-address 192.0.2.10/24user@host# set security nat destination rule-set dst-nat rule r1 then destination-nat pool d1
In this scenario, to exempt a session from SSL proxy inspection, the following IP address should be added to the whitelist:
Starting with Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the whitelisting feature is extended to include URL categories supported by UTM in SSL forward proxy configuration. In this implementation, the Server Name Indication (SNI) field is extracted by the UTM module from client hello messages to determine the URL category. Each URL category has a unique ID. The list of URL categories under whitelist is parsed and the corresponding category IDs are pushed to the Packet Forwarding Engine for each SSL forward proxy profile. The SSL forward proxy then determines through APIs whether to accept, and proxy, or to ignore the session.
The predefined url categories depends on UTM. To enable URL- based whitelisting in SSL proxy, the following basic URL configurations are required:
Starting with Junos OS Release 17.4R1, the whitelisting feature is extended to support custom URL categories supported by UTM.
The below example shows how to configure custom URL categories. In this example, Enhanced_Financial_Data_and_Services is one of the supported URL categories:
Configuring SSL Proxy Logging
When configuring SSL proxy, you can choose to set the option to receive some or all of the logs. SSL proxy logs contain the logical system name, SSL proxy whitelists, policy information, SSL proxy information, and other information that helps you troubleshoot when there is an error.
You can configure logging of all or specific events, such as error, warning, and information events. You can also configure logging of sessions that are whitelisted, dropped, ignored, or allowed after an error occurs.
You can use enable-flow-tracing option to enable debug tracing.
Exporting Certificates to a Specified Location
When a self-signed certificate is generated using a PKI command,
the newly generated certificate is stored in a predefined location
(var/db/certs/common/local).
Use the following command to export the certificate to a specific location (within the device). You can specify the certificate ID, the filename, and the type of file format (DER/PEM):
Ignoring Server Authentication
Junos OS allows you to configure an option to ignore server authentication completely. If you configure your system to ignore authentication, then any errors encountered during server certificate verification at the time of the SSL handshake are ignored. Commonly ignored errors include the inability to verify CA signature, incorrect certificate expiration dates, and so forth. If this option is not set, all the sessions where the server sends self-signed certificates are dropped when errors are encountered.
We do not recommend using this option for authentication because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause of dropped SSL sessions.
From configuration mode, specify to ignore server authentication:
See also
Enabling Debugging and Tracing for SSL Proxy
Debug tracing on both Routing Engine and the Packet Forwarding Engine can be enabled for SSL proxy by setting the following configuration:
SSL proxy is supported on SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, SRX5800 devices and vSRX instances. Table 5 shows the supported levels for trace options.
Table 5: Trace Levels
Cause Type | Description |
|---|---|
Brief | Only error traces on both the Routing Engine and the Packet Forwarding Engine. |
Detail | Packet Forwarding Engine–Only event details up to the handshake should be traced. Routing Engine–Traces related to commit. No periodic traces on the Routing Engine will be available |
Extensive | Packet Forwarding Engine–Data transfer summary available. Routing Engine–Traces related to commit (more extensive). No periodic traces on the Routing Engine will be available. |
Verbose | All traces are available. |
Table 6 shows the flags that are supported.
Table 6: Supported Flags in Trace
Cause Type | Description |
|---|---|
cli-configuration | Configuration-related traces only. |
initiation | Enable tracing on the SSL-I plug-in. |
proxy | Enable tracing on the SSL-Proxy-Policy plug-in. |
termination | Enable tracing on the SSL-T plug-in. |
selected-profile | Enable tracing only for profiles that have enable-flow-tracing set. |
You can enable logs in the SSL proxy profile to get to the root cause for the drop. The following errors are some of the most common:
Server certification validation error. Check the trusted CA configuration to verify your configuration.
System failures such as memory allocation failures.
Ciphers do not match.
SSL versions do not match.
SSL options are not supported.
Root CA has expired. You need to load a new root CA.
You can enable the ignore-server-auth-failure option in the SSL proxy profile to ensure that certificate validation, root CA expiration dates, and other such issues are ignored. If sessions are inspected after the ignore-server-auth-failure option is enabled, the problem is localized.
See also
Transport Layer Security (TLS) Overview
Transport Layer Security (TLS) is an application-level protocol that provides encryption technology for the Internet. TLS relies on certificates and private-public key exchange pairs for this level of security. It is the most widely used security protocol for the applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, instant messaging, and voice over IP (VoIP).
TLS protocol is used for certificate exchange, mutual authentication, and negotiating ciphers to secure the stream from potential tampering and eavesdropping. TLS is sometimes called as Secure Sockets Layer (SSL). TLS and SSL are not interoperable, though TLS currently provides some backward compatibility.
SRX Series devices provides TLS inspection that use the TLS protocol suite consisting of different TLS versions, ciphers, and key exchange methods. TLS inspection feature enables SRX Series devices to inspect HTTP traffic encrypted in TLS on any port.
Benefits of TLS
TLS ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity.
TLS Versions
Following are the versions of TLS:
TLS version 1.0—Provides secure communication over networks by providing privacy and data integrity between communicating applications
TLS version 1.1—This enhanced version of TLS provides protection against cipher-block chaining (CBC) attacks.
TLS version 1.2 — This enhanced version of TLS provides improved flexibility for negotiation of cryptographic algorithms.
Starting with Junos OS Release 12.3X48-D30, SRX Series devices support TLS version 1.2. SRX Series devices running earlier release of 12.3X48-D30, supports TLS version 1.0.
Three Essential Services of TLS
The TLS protocol is designed to provide three essential services to the applications running above it: encryption, authentication, and data integrity.
Encryption—In order to establish a cryptographically secure data channel, the server and the client must agree on which cipher suites are used and the keys used to encrypt the data. The TLS protocol specifies a well-defined handshake sequence to perform this exchange. TLS uses public key cryptography, which allows the client and server to negotiate a shared secret key without having to establish any prior knowledge of each other, and to do so over an unencrypted channel.
Authentication—As part of the TLS handshake, the protocol allows both server and the client to authenticate their identity. Implicit trust between the client and the server (because the client accepts the certificate generated by the server) is an important aspect of TLS. It is extremely important that server authentication is not compromised; however, in reality, self- signed certificates and certificates with anomalies are in abundance. Anomalies can include expired certificates, instances of common name not matching a domain name, and so forth.
Integrity—With encryption and authentication in place, the TLS protocol does message framing mechanism and signs each message with a Message Authentication Code (MAC). The MAC algorithm does the effective checksum, and the keys are negotiated between the client and the server.
TLS Handshake
Each TLS session begins with a handshake during which the client and server agree on the specific security key and the encryption algorithms to use for that session. At this time, the client also authenticates the server. Optionally, the server can authenticate the client. Once the handshake is complete, transfer of encrypted data can begin.
Encrypting Syslog Traffic with TLS
TLS protocol ensures the syslog messages are securely sent and received over the network. TLS uses certificates to authenticate and encrypt the communication. The client authenticates the server by requesting its certificate and public key. Optionally, the server can also request a certificate from the client, thus mutual authentication is also possible.
A certificate on the server that identifies the server and the certificate of certificate authority (CA) issued by the server must be available with the client for TLS to encrypt syslog traffic.
For mutual authentication of client and the server, a certificate with the client that identifies the client and the certificate of CA issued by client must be available on the server. Mutual authentication ensures that the syslog server accepts log messages only from authorized clients.
Configuring the TLS Syslog Protocol
This example shows how to configure the Transport Layer Security (TLS) syslog protocol on SRX Series devices to receive encrypted syslog events from network devices that support TLS syslog event forwarding.
Requirements
Before you begin, enable server certificate verification and encryption or decryption capabilities.
Overview
TLS syslog protocol enables log sources to receive encrypted syslog events from network devices that supports TLS syslog event forwarding. The log source creates a listen port for incoming TLS syslog events and generates a certificate file for the network devices.
In this example, you will configure a syslog collector associated with one SSL-I profile. Each SSL-I profile will enable the user to specify things like preferred ciphers suite and trusted CA certificates. Multiple SSL-I profiles can be configured and associated to different collector servers.
Configuration
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure TLS syslog protocol:
- Set the log mode to stream.[edit security]user@host# set log mode stream
- Set the format for remote security message logging to
sd-syslog (structured system log).[edit security]user@host# set log format sd-syslog
- Set the host source interface number.[edit security]user@host# set log source-interface ge-0/0/1.0
- Set security log transport protocol tls to be used to
log the data.[edit security]user@host# set log transport protocol tls
- Specify the TLS profile name. [edit security]user@host# set log transport tls-profile ssl-i-tls
- Set the log stream to use the structured syslog format
for sending logs to server 1.[edit security]user@host# set log stream server1 format sd-syslog
- Set the category of server 1 logging to all .[edit security]user@host# set log stream server1 category all
- Set server host parameters by entering the server name
or IP address.[edit security]user@host# set log stream server1 host 192.0.2.100
- Define the protocol version all for SSL initiation access
profile.[edit services]user@host# set ssl initiation profile ssl-i-tls protocol-version all
- Attach all CA profile groups to the SSL initiation profile
to use when requesting a certificate from the peer.[edit services]user@host# set ssl initiation profile ssl-i-tls trusted-ca all
- Define the SSL initiation access profile to ignore the
server authentication failure.[edit services]user@host# set ssl initiation profile ssl-i-tls actions ignore-server-auth-failure
Results
From configuration mode, confirm your configuration by entering the show security log command. If the output does not display the intended configuration, then repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To verify that the configuration is working properly, enter the show log command on the syslog server.