Understanding SSL Decryption-exempted

SSL Decryption-exempted Scenario

The FW can use SSL-encrypted traffic detection to decrypt traffic of servers and clients. SSL-encrypted traffic detection also supports decryption-exempted function. In certain special scenarios, the network administrator does not require decryption of SSL-encrypted traffic because the internal traffic is not concerned, device performance needs to be ensured (decrypting SSL-encrypted traffic consumes device performance), or sensitive information involving privacy data is generated. In this case, the FW can transparently transmit SSL-encrypted traffic from the client to the server without decryption using SSL-encrypted traffic detection.

The FW supports control management on the SSL connection between a client and a server through the decryption-exempted profile. When detecting that the server certificate is untrusted or the SNI is inconsistent with the SAN/CN, the FW determines whether to establish an SSL connection between the client and the server based on actual requirements.

When parsing the Client Hello packet sent from the client to the server, the FW extracts the SNI field from the packet and the SAN/CN field from the server certificate (actual server certificate), and checks the consistency between the SNI and SAN/CN to determine whether to establish an SSL connection with the server. For details about the SNI and SAN/CN, see Understanding a Certificate.

SSL decryption-exempted has little impact on device performance, but content security and validity check (such as antivirus and intrusion prevention) cannot be performed in this scenario. Generally, SSL decryption-exempted is used together with SSL decryption in the URL category detection so that most traffic is decrypted and special traffic (such as sensitive information) is not decrypted.

Figure 1 shows the SSL decryption-exempted scenario.

Figure 1 SSL decryption-exempted function

Packet Processing in the SSL Decryption-exempted Scenario

In the SSL decryption-exempted scenario, the FW transparently transmits SSL-encrypted traffic between a client and a server, and performs simple control management. Figure 2 shows the operating principles.

Figure 2 Packet processing in the SSL decryption-exempted scenario

1. A client sends a Client Hello packet to initiate a new SSL connection.
2. The FW resolves the Client Hello packet and transparently transmits it to the server.

   Upon resolving the Client Hello packet, the FW abstracts the SNI field from the packet.

3. The server responds to the Client Hello packet and sends a Server Hello packet and a server certificate to the FW.
4. The FW verifies the server certificate and transparently transmits the Server Hello packet and server certificate to the client.

   In addition to verifying the server certificate, the FW abstracts the SAN/CN field from the server certificate and performs SNI and SAN/CN consistency check to determine whether to allow the SSL connection established between the client and the server.

5. After verifying the server certificate, the client establishes the SSL connection with the server.

   Subsequent SSL-encrypted traffic sent from the client is directly transparently transmitted to the server by the FW.