profile (Services SSL Proxy)
Syntax
profile name {
actions {
allow-strong-certificate;
crl {
disable;
if-not-present (allow | drop);
ignore-hold-instruction-code;
}
disable-session-resumption;
ignore-server-auth-failure;
log {
all;
errors;
info;
sessions-allowed;
sessions-dropped;
sessions-ignored;
sessions-whitelisted;
warning;
}
renegotiation {
(allow | allow-secure | drop);
}
}
custom-ciphers ;
disable-deferred-profile-selection;
enable-flow-tracing enable-flow-tracing;
mirror-decrypt-traffic {
interface interface-name;
only-after-secruity-policies-enforcement;
destination-mac-address mac-address;
}
preferred-ciphers (custom | medium | strong | weak);
( root-ca root-ca | server-certificate[ server-certificate ... ]);
trusted-ca ;
whitelist [ whitelist ... ];
whitelist-url-categories [ whitelist-url-categories ... ];
}
Hierarchy Level
[edit services ssl proxy], [edit logical-systems logical-system-name services ssl proxy]
Description
Specify the SSL server profile. An SSL proxy profile defines SSL behavior for the SRX Series Firewall.
The SSL proxy profile will be applied to the security policy as application services.
We have updated the limits for trusted CA certificates, server certificates, and URL categories in both SSL forward proxy and SSL reverse proxy configurations. These changes ensure compliance with the maximum configuration blob size limit of 56,986 bytes.
Changes in limit Size:
- Trusted CA certificate/Server certificates: Maximum limit—400 (reduced from 1024)
- URL categories: Maximum limit—800 (unchanged)
Configuration statements:
user@host# set services ssl proxy profile profile-name trusted-ca (all | [ca-profile] ) user@host# set services ssl proxy profile profile-name server-certificate user@host# set services ssl proxy profile profile-name whitelist-url-categories [whitelist url categories]
ERROR: Maximum blob size (56986 bytes) exceeded...current blob size is 57014 bytes. 400 Server certs are taking 54400 bytes, and 27 URL categories are taking 1728 bytes.
Options
| profile-name |
Profile identifier. |
| actions |
Logging and traffic related actions. |
| custom-ciphers |
Custom cipher list.
|
| disable-deferred-profile-selection |
Disable the deferred profile selection mechanism. In the defered profile selection mechanism, the SSL proxy module defers SSL profile selection until the dynamic application is detected in a client hello message based on the Server Name Indication (SNI). After detecting dynamic application, SSL proxy module does a firewall rule lookup based on the identified application and selects an appropriate SSL proxy profile. |
| enable-flow-tracing |
Enable flow tracing for the profile. |
| preferred-ciphers |
Select preferred ciphers.
|
| root-ca |
Root certificate for interdicting server certificates in proxy mode. |
| server-certificate |
Local certificate identifier. |
| trusted-ca |
List of trusted certificate authority profiles. |
| whitelist |
Addresses exempted from SSL proxy. |
| whitelist-url-categories |
URL categories exempted from SSL proxy. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 12.1X44-D10.
The crl statement is supported from 15.1X49-D30.
The logical system option is introduced in Junos OS Release
19.1R1.