Inspect TLS traffic

You can enable Advanced TLS Traffic Inspection for the Intrusion Prevention module.

Note that Advanced TLS Traffic Inspection and SSL inspection do not support compressed traffic.

Enable Advanced TLS Traffic Inspection

Advanced TLS Traffic Inspection offers the following benefits over the legacy SSL inspection implementation:

It removes the need to configure TLS credentials manually.
It supports more ciphers than SSL inspection, including Perfect Forward Secrecy (PFS) ciphers. For more information, see Supported cipher suites.

Enabling the Intrusion Prevention module automatically applies Advanced TLS Traffic Inspection to both inbound and outbound traffic:

Inspect Inbound TLS/SSL Traffic is enabled by default for inbound traffic.
Inspect Outbound TLS/SSL Traffic is enabled by default for outbound traffic and is supported by the Deep Security Agent version 20.0.1-12510 (20 LTS Update 2024-06-19) or later.

To verify or adjust these settings, as well as obtain guidance on the configuration steps for outbound traffic, navigate to Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection.

Use Advanced TLS Traffic Inspection

Advanced TLS Traffic Inspection can be enabled and used for inbound and outbound traffic on Windows and Linux platforms (see Supported features by platform).

On Windows, Advanced TLS Traffic Inspection only supports traffic using Windows-native TLS communication channels (see Secure Channel). For example, traffic produced by IIS, Microsoft Exchange or Remote Desktop Protocol (RDP). When Advanced TLS Traffic Inspection is enabled, a component called TMExtractor is activated to perform the necessary inspections. The TMExtractor file remains after DSA is uninstalled, but this file is automatically removed after a reboot.

On Linux, Advanced TLS Traffic Inspection only supports traffic by popular web applications: NGINX, Apache HTTP Server, HAProxy, and Apache Tomcat server. Note that Tomcat server only supports OpenJDK 8 on Linux (64-bit) and runs without a container.

If you need to inspect TLS traffic that is not supported by advanced TLS traffic inspection, or TLS traffic on other operating systems, you can configure the legacy SSL inspection instead.

Configure SSL inspection (legacy)

You can configure SSL inspection for a given credential-port pair on one or more interfaces of your protected computer.

Credentials can be imported in PKCS#12 or PEM format. The credential file must include the private key. Windows computers can use CryptoAPI directly.

In the Workload Security console, select the computer to configure and click Details to open the Computer editor.
In the left pane of the Computer editor, click Intrusion Prevention > Advanced > View SSL Configurations, and click View SSL Configurations to open the SSL computer Configurations window.
Click New to open the SSL Configuration wizard.
Specify the interface to which to apply the configuration on this computer:
- To apply to all interfaces on this computer, select All Interface(s).
- To apply to specific interfaces, select Specific Interface(s).
Select Port(s) or Ports List and select a list, then click Next.
On the IP Selection screen, select All IPs or provide a Specific IP on which to perform SSL inspection, then click Next.
On the Credentials screen, select how to provide the credentials:
- I will upload credentials now
- The credentials are on the computer
  
  The credential file must include the private key.
If you chose the option to upload credentials now, enter their type, location, and pass phrase (if required).
If the credentials are on the computer, provide Credential Details:
- If you are using PEM or PKCS#12 credential formats stored on the computer, identify the location of the credential file and the file's pass phrase (if required).
- If you are using Windows CryptoAPI credentials, choose the credentials from the list of credentials found on the computer.
Provide a name and description for this configuration.
Review the summary and close the SSL Configuration wizard. Read the summary of the configuration operation and click Finish to close the wizard.

Change port settings

Change the port settings for the computer to ensure that the agent is performing the appropriate Intrusion Prevention filtering on the SSL-enabled ports. The changes you make are applied to a specific application type, such as Web Server Common, on the agent computer. The changes do not affect the application type on other computers.

Go to Intrusion Prevention Rules in the computer's Details window to see the list of Intrusion Prevention rules being applied on this computer.
Sort the rules by Application Type and locate the Web Server Common application type. You can perform these changes to similar application types as well.
Right-click a rule in the application type and click Application Type Properties.
Override the inherited HTTP Port List so that you include the port you defined during the SSL Configuration setup, as well as port 80. Enter the ports as comma-separated values. For example, if you use port 9090 in the SSL configuration, enter 9090, 80.
To improve performance, on the Configuration tab, deselect Inherited and Monitor responses from Web Server.
Click OK to close the dialog.

Use Intrusion Prevention when traffic is encrypted with Perfect Forward Secrecy (PFS)

Perfect Forward Secrecy (PFS) can be used to create a communication channel that cannot be decrypted if, at a later time, the server's private key is compromised. Since the intent of Perfect Forward Secrecy is to prevent decryption after the session is over, it also prevents the Intrusion Prevention module from seeing the traffic through SSL inspection.

Using Advanced TLS traffic inspection, the Intrusion Prevention module can analyze traffic encrypted with PFS ciphers without additional configuration.

To use PFS ciphers with SSL inspection instead, you can do the following:

Use Perfect Forward Secrecy for TLS traffic between the Internet and your load balancer or reverse proxy.
Terminate the Perfect Forward Secrecy session at your load balancer or reverse proxy.
Use a non-PFS cipher suite (see SSL inspection supports the following cipher suites) for traffic between the load balancer or reverse proxy, and the web server or application server, so that the Intrusion Prevention module on the server can decrypt the TLS sessions and inspect them.
Restrict traffic to the web server for application server ports that do not use Perfect Forward Secrecy.

Special considerations for Diffie-Hellman ciphers

The following description only applies when using SSL inspection instead of Advanced TLS traffic inspection.

Perfect Forward Secrecy relies on the Diffie-Hellman key exchange algorithm. On some web servers, Diffie-Hellman might be the default, which means that SSL inspection cannot work properly. It is therefore important to check the server's configuration file and disable Diffie-Hellman ciphers for TLS traffic between the web server and load balancer or reverse proxy. For example, to disable Diffie-Hellman on an Apache server:

Open the server's configuration file. The file name and location of web server configuration files vary by operating system and distribution. For example, the path could be:
- Default installation on RHEL4: /etc/httpd/conf.d/ssl.conf
- Apache 2.2.2 on Red Hat Linux: /apache2/conf/extra/httpd-ssl.conf
In the configuration file, find the "SSLCipherSuite" variable.
Add !DH:!EDH:!ADH: to these fields, if this string does not already appear (the "!" tells Apache to not use this cipher).

For example, you might edit the Apache configuration file's cipher suite to look similar to the following:

SSLCipherSuite !DH:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

For more information, see the Apache Documentation for SSLCipherSuite Directive.

Supported cipher suites

Hex Value	OpenSSL Name	IANA Name	NSS Name	Advanced TLS Inspection	SSL inspection (legacy)
0x00,0x04	RC4-MD5	TLS_RSA_WITH_RC4_128_MD5	SSL_RSA_WITH_RC4_128_MD5	✔	✔
0x00,0x05	RC4-SHA	TLS_RSA_WITH_RC4_128_SHA	SSL_RSA_WITH_RC4_128_SHA	✔	✔
0x00,0x09	DES-CBC-SHA	TLS_RSA_WITH_DES_CBC_SHA	SSL_RSA_WITH_DES_CBC_SHA	✔	✔
0x00,0x0A	DES-CBC3-SHA	TLS_RSA_WITH_3DES_EDE_CBC_SHA	SSL_RSA_WITH_3DES_EDE_CBC_SHA	✔	✔
0x00,0x2F	AES128-SHA	TLS_RSA_WITH_AES_128_CBC_SHA	TLS_RSA_WITH_AES_128_CBC_SHA	✔	✔
0x00,0x33	DHE-RSA-AES128-SHA	TLS_DHE_RSA_WITH_AES_128_CBC_SHA	TLS_DHE_RSA_WITH_AES_128_CBC_SHA	✔
0x00,0x35	AES256-SHA	TLS_RSA_WITH_AES_256_CBC_SHA	TLS_RSA_WITH_AES_256_CBC_SHA	✔	✔
0x00,0x39	DHE-RSA-AES256-SHA	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	✔
0x00,0x3C	AES128-SHA256	TLS_RSA_WITH_AES_128_CBC_SHA256	TLS_RSA_WITH_AES_128_CBC_SHA256	✔	✔
0x00,0x3D	AES256-SHA256	TLS_RSA_WITH_AES_256_CBC_SHA256	TLS_RSA_WITH_AES_256_CBC_SHA256	✔	✔
0x00,0x41	CAMELLIA128-SHA	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA	✔	✔
0x00,0x67	DHE-RSA-AES128-SHA256	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256	✔
0x00,0x6b	DHE-RSA-AES256-SHA256	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256	✔
0x00,0x84	CAMELLIA256-SHA	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA	✔	✔
0x00,0x9c	AES128-GCM-SHA256	TLS_RSA_WITH_AES_128_GCM_SHA256	TLS_RSA_WITH_AES_128_GCM_SHA256	✔	✔
0x00,0x9d	AES256-GCM-SHA384	TLS_RSA_WITH_AES_256_GCM_SHA384	TLS_RSA_WITH_AES_256_GCM_SHA384	✔	✔
0x00,0x9e	DHE-RSA-AES128-GCM-SHA256	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	✔
0x00,0x9f	DHE-RSA-AES256-GCM-SHA384	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	✔
0x00,0xBA	CAMELLIA128-SHA256	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256	✔	✔
0x00,0xC0	CAMELLIA256-SHA256	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256	✔	✔
0xc0,0x09	ECDHE-ECDSA-AES128-SHA	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	✔
0xC0,0x0A	ECDHE-ECDSA-AES256-SHA	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	✔
0xc0,0x13	ECDHE-RSA-AES128-SHA	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	✔
0xc0,0x14	ECDHE-RSA-AES256-SHA	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	✔
0xc0,0x23	ECDHE-ECDSA-AES128-SHA256	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	✔
0xc0,0x24	ECDHE-ECDSA-AES256-SHA384	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	✔
0xc0,0x27	ECDHE-RSA-AES128-SHA256	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	✔
0xc0,0x28	ECDHE-RSA-AES256-SHA384	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	✔
0xc0,0x2b	ECDHE-ECDSA-AES128-GCM-SHA256	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	✔
0xc0,0x2c	ECDHE-ECDSA-AES256-GCM-SHA384	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	✔
0xc0,0x2f	ECDHE-RSA-AES128-GCM-SHA256	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	✔
0xc0,0x30	ECDHE-RSA-AES256-GCM-SHA384	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	✔
0xC0,0x9C	AES128-CCM	TLS_RSA_WITH_AES_128_CCM	TLS_RSA_WITH_AES_128_CCM	✔	✔
0xC0,0x9D	AES256-CCM	TLS_RSA_WITH_AES_256_CCM	TLS_RSA_WITH_AES_256_CCM	✔	✔
0xC0,0xA0	AES128-CCM8	TLS_RSA_WITH_AES_128_CCM_8	TLS_RSA_WITH_AES_128_CCM_8	✔	✔
0xC0,0xA1	AES256-CCM8	TLS_RSA_WITH_AES_256_CCM_8	TLS_RSA_WITH_AES_256_CCM_8	✔	✔
0xcc,0xa8	ECDHE-RSA-CHACHA20-POLY1305	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	✔
0xcc,0xa9	ECDHE-ECDSA-CHACHA20-POLY1305	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	✔
0xcc,0xaa	DHE-RSA-CHACHA20-POLY1305	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256	✔

Supported protocols

The following protocols are supported:

TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3 (Linux only)

SSL 3.0 inspection is not supported and is blocked by default.