Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Create and Manage SSL Initiation Profiles

Create SSL Initiation Profiles

Create SSL initiation profile to configure settings for the SSL-initiated connections. This includes the list of supported ciphers and their priority, the supported versions of SSL/TLS, and a few other options.
  1. Select Shared Services > Objects > SSL Initiation Profile.
    The SSL Initiation Profile page opens.
  2. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.).
    The Create SSL Initiation Profile page opens.
  3. Complete the configuration according to the following guidelines:
    Table 1: SSL initiation Profile Settings

    Setting

    Guideline

    Name

    Enter a unique name of the SSL initiation profile.

    The string must consist of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

    Protocol version

    Select accepted protocol SSL version from the list: None, All, TSLv1, TSLv1.1, or TSLv1.2.

    Cipher strength

    Specify the cipher depending on their key strength. Select a preferred cipher from the list:

    • Custom—Configure custom cipher suite and order of preference.

    • Medium—Use ciphers with key strength of 128 bits or greater.

    • Strong—Use ciphers with key strength of 168 bits or greater.

    • Weak—Use ciphers with key strength of 40 bits or greater.

    Flow tracing

    Select this option to enable flow trace for troubleshooting policy-related issues for this profile.

    SSL session cache

    Select this option to enable SSL session cache.

    Local Certificates

    Local Certificate

    Specify a client certificate that is required to effectively authenticate the client. Select the appropriate client certificate from the list.

    Add device-specific local certificate

    Enable this option to select an effective client certificate for the client.

    1. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.).

      The Add Device-specific Local Certificate page opens.

    2. Enter the following details:

      • Devices—Select the available device from the list.

      • Local certificate—Select a certificate from the list that client connects to server with. It is usually signed by a CA that the SRX Series Firewall trusts.

    3. Click OK.

    CA Certificates

    CA certificate

    Select the certificate authority profile from the list. Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

    Add device-specific CA certificate

    Enable this option to select an effective CA certificate for the client.

    Junos OS provides a default list of trusted CA certificates. Use a default command option to load the trusted CA certificates default list.

    1. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.).

      The Add Device-specific CA Certificate page opens.

    2. Entre the following details:

      • Devices—Select the available device from the list.

      • CA certificate—Select a certificate from the list that client connects to server with.

    3. Click OK.

    Action

    Ignore server authentication failure

    Enable this option to ignore server authentication completely.

    In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, selfsigned certificates, and certificate expiry).

    We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

    CRL validation

    Enable CRL validation on the device to check for revoked certificates from servers.

    If CRL information is unavailable

    Select one of the options from the list:

    • None—No action is taken.

    • Drop—Drop sessions when CRL information is not available.

    • Allow—Allow sessions when CRL information is not available.

    If certificate is revoked

    Select one of the options from the list:

    • None—No action is taken.

    • Drop—Drop the sessions when a certificate is revoked.

    • Allow—Allow the sessions when a certificate is revoked, and the revocation reason is on hold.
  4. Click OK.
    The SSL Initiation Profile page opens with a confirmation message indicating that the SSL initiation profile is created. After you create an SSL initiation profile, you can use this profile as an application service in a security policy.

Manage SSL Initiation Profiles

  • Edit—Select the profile, and then click the pencil icon (Blue pencil icon indicating edit functionality.).

  • Delete—Select the profile, and then click the trash can icon (Blue trash can icon representing delete or remove function.). You can only delete an SSL initiation profile if it is not associated with an ICAP redirect server.

See Also