Configuring an SSL Domain Name Whitelist
This section describes application scenarios and methods of configuring an SSL domain name whitelist.
Context
The SSL domain name whitelist is used only in the client protection scenario.
When an SSL connection is established between a client and a server, server CA certificates are not preset or imported to some browsers or some software applications have a fixed public key. If the FW still serves as a proxy to establish SSL connections between the client and server, the certificate pushed by the FW to the client cannot be verified. As a result, the connection is interrupted. In this case, the FW transparently transmits the SSL connection between the client and server directly.
The FW extracts the SNI field from the Client Hello packet, extracts the CN field from the server certificate, and compares the extracted SNI or CN field with the SSL domain name whitelist. If the value matches the whitelist, the FW no longer serves as a proxy for the SSL connections destined for the server.
The FW preferentially compares the SNI field with the SSL domain name whitelist. The compares the CN field with the SSL domain name whitelist only when the SNI and CN fields are different.
The FW has a predefined domain name whitelist. The whitelist includes common domain names that clients perform deep certificate verification when accessing such websites. In Domain Name Whitelist, domain names whose Type is Predefined are predefined. In addition to using the predefined whitelist, you can customize an SSL domain name whitelist.
Some client applications require that in-depth verification be performed on the server certificate through the domain name whitelist. However, in scenarios where decryption is not performed on traffic sent from domain name websites involving sensitive information, the domain name whitelist cannot be implemented. In this case, in-depth verification can be performed based on decryption-exempted and policy rules such as IP address, user, URL category, and service.
The FW adds the IP address, port number, and SNI of the traffic to the dynamic domain name whitelist when the FW cannot decrypt the traffic that matches the SSL-encrypted traffic detection policy. For the traffic that matches the dynamic domain name whitelist, the FW does not perform SSL proxy. Instead, the FW transparently transmits the traffic. The dynamic domain name whitelist does not need to be configured. It is automatically generated by the system. You can run the display ssl whitelist dynamic command to view information about the dynamic domain name whitelist.
Configuring an SSL Domain Name Whitelist Using the Web UI
- Choose Policy > Encrypted Traffic Detection > Domain Name Whitelist.
- Click Add to add a user-defined domain name.
Parameter
Description
Domain Name
Indicates the SNI or CN field in the corresponding server certificate. The value is a domain name, for example, www.example.com.
Description
Enter the description of the domain name to help the administrator remember the usage of the domain name.
Configuring an SSL Domain Name Whitelist Using the CLI
- If you are not clear about the CN field, you can access the server on the client, and run the display app-proxy dynamic-cert cache command on the FW to view information about SSL server certificates recently received by the FW.
<sysname> display app-proxy dynamic-cert cache current/total cache size: 1/512 hit times: 25 Aproxy Issuer Certificate: HitTime:25 Orignal Certificate: Data: Serial Number: 1 (0x1) Issuer: C=cn, ST=zj, L=hz, O=hw, OU=fw, CN=RootCA Validity Not Before: May 25 08:27:03 2016 GMT Not After : May 23 08:27:03 2026 GMT Subject: C=cn, ST=zj, L=hz, O=hw, OU=fw, CN=www.example.com Aproxy Certificate: Data: Serial Number: 1 (0x1) Issuer: C=CN, ST=JS, L=NJ, O=HW, OU=VPN, CN=CA-210235G7LN0123456789 Validity Not Before: May 25 08:27:03 2016 GMT Not After : May 23 08:27:03 2026 GMT Subject: C=cn, ST=zj, L=hz, O=hw, OU=fw, CN=www.example.comwww.example.com is CN field in the server certificate.
- Run the ssl whitelist userdefined-hostname host-name command to add the domain name of the server to the domain name whitelist. Set host-name to CN field in the server certificate.