path: root/content/Decryption.tex

% !TEX root = ../TSG_Administrator's_Guide_Latest_EN.tex
%
%\pdfbookmark[0]{Decryption}{Decryption}
\chapter*{\hypertarget{link:Decryption}{Decryption}}
\addcontentsline{toc}{chapter}{Decryption}
\label{sec:decrypt}

TSG has a proxy that utilizes MITM (Man-in-the-middle) technologies and enables you to perform layer 4-7 advanced manipulation of network traffic. 
The Proxy is deployed in transparent mode; thus, no proxy settings on the browser side. 
The proxy can decrypt and inspect traffic to control protocols and certificate verification. 
The proxy handles encrypted traffic according to your configured security settings. 
Traffic will be reassembled according to the TCP/IP protocol stack with the original headers 
(source IP, source Port, destination IP, destination Port, Protocol, etc.) and decrypted payload. 
Decryption prevents malicious encrypted content from entering your network and sensitive content from leaving your network concealed as encrypted traffic. 
Enabling decryption needs preparing the keys and certificates required, creating decryption profiles, and configuring traffic mirror profiles.

{
\color{linkblue}
\hyperlink{link:Decryption Concepts}{> Decryption Concepts} \\
\hyperlink{link:Keys and Certificates}{> Keys and Certificates} \\
\hyperlink{link:Certificate Managements}{> Certificate Managements}\\
\hyperlink{link:Proxy Profiles}{> Proxy Profiles}\\
}
\clearpage

%\pdfbookmark[1]{Decryption Concepts}{Decryption Concepts}
\section*{\hypertarget{link:Decryption Concepts}{Decryption Concepts}}
\addcontentsline{toc}{section}{Decryption Concepts}
\label{sec:decrypt:concept}

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protocols secure traffic between two entities, such as a web server and a client. 
Without special instructions, SSL in this document refers to SSL/TLS. SSL encapsulates traffic, encrypting data so that it is meaningless to 
entities other than the client and server with the certificates to affirm trust between the devices and the keys to decode the data.


The proxy uses certificates and keys to decrypt traffic to plaintext and then enforces security settings on the plaintext traffic. 
After decrypting and inspecting traffic, the proxy re-encrypts the plaintext traffic as it exits the proxy to ensure privacy and security.


SSL decryption requires certificates to establish the proxy as a trusted third-party, and establish trust between a client and a server to secure an SSL/TLS connection. 
You can also use certificates when excluding servers from SSL decryption for technical reasons 
(the site breaks decryption for reasons such as certificate pinning, unsupported ciphers, or mutual authentication).


You can integrate a hardware security module (HSM) with TSG to enhance private keys security. 
To learn more about integrating an HSM, see \hyperlink{link:Manage Keys with a Hardware Security Module}{\color{linkblue}{Manage Keys with a Hardware Security Module}}.

%\pdfbookmark[1]{Keys and Certificates}{Keys and Certificates}
\section*{\hypertarget{link:Keys and Certificates}{Keys and Certificates}}
\addcontentsline{toc}{section}{Keys and Certificates}
\label{sec:decrypt:keys}

Keys are strings of numbers typically generated using a mathematical operation involving random numbers and large primes. 
Keys transform strings—such as passwords and shared secrets—from unencrypted plaintext to encrypted ciphertext and from encrypted ciphertext to unencrypted plaintext. 


X.509 certificates establish trust between a client and a server to establish an SSL connection. A client attempting to authenticate a server (or a server authenticating a client) knows the structure of the X.509 certificate and therefore knows how to extract identifying information about the server from fields within the certificate, such as the FQDN or IP address (called a common name or CN within the certificate) or the name of the organization, or user to which the certificate was issued. A certificate authority (CA) must issue all certificates. After the CA verifies a client or server, the CA issues the certificate and signs it with a private key.


When you decrypt traffic, a session between the client and the server is established only if the firewall trusts the CA that signed the server certificate. In order to establish trust, the firewall must have the server root CA certificate in its Trusted Certificate Authorities list and use the public key contained in that root CA certificate to verify the signature. The firewall then presents a copy of the server certificate for the client to authenticate. You can also configure the firewall to use an enterprise CA for SSL Proxy. If the firewall does not have the server root CA certificate in its Trusted Certificate Authorities list, the firewall will present a copy of the server certificate signed by the Forward Untrust certificate to the client. The Forward Untrust certificate ensures that clients are prompted with a certificate warning when attempting to access sites hosted by a server with untrusted certificates.


The change of the static expiration time for new generated certificates will not cause a service shutdown or other problems that negatively affect the decryption.


TSG allows you to delete installed certificates, including default certificate, change global and default certificate; 
but if the certificate is already referenced by a policy, TSG does not allow deleting it. You can modify the referenced certificate instead. 
For detailed information on certificates, see \hyperlink{link:Certificate Management}{\color{linkblue}{Certificate Management}}.

%\pdfbookmark[1]{Certificate Managements}{Certificate Managements}
\section*{\hypertarget{link:Certificate Managements}{Certificate Managements}}
\addcontentsline{toc}{section}{Certificate Managements}
\label{sec:decrypt:certificate}

The digital certificates are used to ensure trust between parties in a secure communication session. 
Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. 
Each certificate also includes a digital signature to authenticate the identity of the issuer. 
The issuer must be on the list of trusted certificate authorities (CAs) of the authenticating party.

%\pdfbookmark[2]{Trusted Certificate Authorities}{Trusted Certificate Authorities}
\subsection*{\hypertarget{link:Trusted Certificate Authorities}{Trusted Certificate Authorities}}
\addcontentsline{toc}{subsection}{Trusted Certificate Authorities}
\label{sec:decrypt:certificate:trusted}

TSG trusts the most common and trusted authorities (CAs) by default. These trusted certificate providers are responsible for issuing the certificates 
TSG requires to secure connections to the internet. The additional CAs you might want to add are trusted enterprise CAs that your organization requires. 
You can perform the following to import a certificate:

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Decryption} and select \textbf{Trusted Certificate Authorities} tab, Click \textbf{Import}.
    \item[STEP 2.]	Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. It can use only letters, numbers, hyphens, and underscores.
    \item[STEP 3.]	Click \textbf{Please upload} and upload a PEM (base64-encoded) format file.
    \item[STEP 4.]	Click \textbf{OK}.    
\end{description}

Go back to Trusted Certificate Authorities tab. You can view detailed information about the CA you just created. 
To edit and delete CAs, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. 
The system will periodically check whether the CA certificate has expired. 
If the CA certificate expires, the system will automatically set the status of the CA certificate to disable. 
To download it, you can click the cloud icon under \textbf{File}, and and wait a few seconds to download the file to your local folder. 
You can search CAs based on ID, Name, Issuer, Common Name, Certificate Fingerprint, or their combination. Enter search conditions in the search bar and click the search icon.

%\pdfbookmark[2]{Decryption Keyrings}{Decryption Keyrings}
\subsection*{\hypertarget{link:Decryption Keyrings}{Decryption Keyrings}}
\addcontentsline{toc}{subsection}{Decryption Keyrings}
\label{sec:decrypt:certificate:keyring}

If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into TSG from your enterprise certificate authority (CA). 
Enterprise CA certificates (unlike most certificates purchased from a trusted, third-party CA) can automatically issue CA certificates for applications such as SSL/TLS decryption.


Note that the built-in certificate with ID 1(\#1) means the default certificate for tursted servers, 
and built-in certificate with ID 0(\#0) means default certificate for untrusted servers. 
You can add decryption keyring to TSG with two methods. One is local management with TSG interface through the following procedure; 
the other is to integrate an external HSM device, the certificate will be saved to the HSM for the specified website. 
For more details about HSM, see Manage Keys with a Hardware Security Module.


\notemark\textit{If the HSM is down, the firewall can process decryption for sites of HSM mode for which it has cached the response from the HSM. 
Meanwhile the firewall will deploy default certificates (\#0 or \#1) for those un-cached sites of HSM mode.}


You can perform the following to Import a Certificate and Private Key:

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Decryption Keyrings}, Click \textbf{Create}
    \item[STEP 2.]	Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters.
    \item[STEP 3.]	\textbf{Please Upload} a \textbf{Certificate}. For Intermediate CA, the certificate must be a complete chain.
    \item[STEP 4.]	\textbf{Please Upload} a \textbf{Private Key File} separately. It supports PEM (base64-encoded) format only. 
        If you have your digital keys stored in HSM, please select \textbf{HSM}, and fill in \textbf{Slot ID}.
    \item[STEP 5.]	Enter customized \textbf{Reissue Expiry Hours} or select Mirror Server Certificate.
    \item[STEP 6.]	Select a \textbf{Type} from Root Certificate, Intermediate Certificate, and End-entity.
    \item[STEP 7.]	Select \textbf{Public Key Algorithm} from RSA 1024, RSA 2048, SECP 256r1, and SECP 384r1.
    \item[STEP 8.]	Enter \textbf{Certificate Revocation List} address or leave the value set to empty.
    \item[STEP 9.]	Enable \textbf{Include root in client-side certificate chain} if you wish to.
\end{description}

Go back to the Decryption Keyrings tab. You can view detailed information about the Keyrings you just created. 
To edit and delete Keyrings, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. 
To download it, you can click the cloud icon under \textbf{Private Key} and \textbf{Certificate}, and wait a few seconds for the file to be downloaded to your local folder. 
You can search Keyrings based on ID and Name. Enter search conditions in the search bar and click the search icon.

%\pdfbookmark[3]{Manage Keys with a Hardware Security Module}{Manage Keys with a Hardware Security Module}
\subsubsection*{\hypertarget{link:Manage Keys with a Hardware Security Module}{Manage Keys with a Hardware Security Module}}
\addcontentsline{toc}{subsubsection}{Manage Keys with a Hardware Security Module}
\label{sec:decrypt:certificate:keyring:hsm}

A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure storage and generation of digital keys. 
It provides both logical and physical protection of these materials from non-authorized use and potential adversaries. 
HSM clients integrated with TSG enable enhanced security for the private keys used in SSL/TLS decryption.


You can integrate Hardware Security Module (HSM) device on TSG and reference it in Decryption Keyrings.


You can integrate an HSM device by the following procedure. 

\begin{description}
    \item[STEP 1.]	Select \textbf{Devices} > \textbf{HSM} and click \textbf{Create}.
    \item[STEP 2.]	Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters.
    \item[STEP 3.]	Select \textbf{HSM Server Type}. For now, only support CERTEX HSM.
    \item[STEP 4.]	Specify \textbf{Server IP} and \textbf{Partition Password}. Password only allows English letters, numbers, underscore \_, minus sign \-, English dot (.) 
    and its minimum 6 bits, maximum 16 bits.
    \item[STEP 5.]	Click \textbf{Reachability Test} to know the status of HSM.
    \item[STEP 6.]	Select \textbf{Data Center} of the HSM.
    \item[STEP 7.]	Click \textbf{OK}.
\end{description}

%\pdfbookmark[2]{SSL Decryption Exclusion}{SSL Decryption Exclusion}
\subsection*{\hypertarget{link:SSL Decryption Exclusion}{SSL Decryption Exclusion}}
\addcontentsline{toc}{subsection}{SSL Decryption Exclusion}
\label{sec:decrypt:certificate:exclusion}

SSL Decryption Exclusion can exclude two types of traffic from decryption:


• Traffic that breaks decryption for technical reasons, such as using a pinned certificate, unsupported ciphers, or mutual authentication (decrypting blocks the traffic). 
If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to the list manually by server hostname.  


• Traffic that you choose not to decrypt because of business, regulatory, personal, or other reasons, such as financial services, health-and-medicine, 
or government traffic. You can choose to exclude traffic based on FQDN.


\notemark\textit{To increase visibility into traffic and reduce the attack surface as much as possible, don’t make decryption exceptions unless you must.}


Perform the following to exclude a Server from Decryption:

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Decryption Exclusion}, Click \textbf{Create}.
    \item[STEP 2.]	Enter an \textbf{FQDN}. It supports suffix matching and exactly matching only. E.g. *.example.com, \$www.example.com. 
    \item[STEP 3.]	Enter a \textbf{Description}. The description can have up to 255 characters.
    \item[STEP 4.]	Click \textbf{OK}.   
\end{description}

If you create an SSL Decryption Exclusion entry, actually TSG will create an FQDN object which contains only one item. 
But this FQDN object can only be seen in SSL Decryption Exclusion and will be referenced in TSG built-in Policy ID 1. 


Go back to the SSL Decryption Exclusion tab. You can view detailed information about the SSL Decryption Exclusion list you just created. 
To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. 
You can search the exclusion list based on ID and Name. Enter search conditions in the search bar and click the search icon.

%\pdfbookmark[2]{Cached Intermediate Certificates}{Cached Intermediate Certificates}
\subsection*{\hypertarget{link:Cached Intermediate Certificates}{Cached Intermediate Certificates}}
\addcontentsline{toc}{subsection}{Cached Intermediate Certificates}
\label{sec:decrypt:certificate:cached}

TSG will automatically cache intermediate certificates. You can select \textbf{Profiles} > \textbf{Decryption} 
and select \textbf{Cached Intermediate Certificates} to view detailed information about these Intermediate Certificates. 
These Intermediate Certificates are issued by Trusted Certificate Authorities, which is an effort to amend the incomplete certificate chain. 
TSG will collect the following information: source website, issue by, issue to, CN, and expiry date.


To download it, you can click the icon under \textbf{File}, and and wait a few seconds to download the file to your local folder. 
You can also enable and disable it by clicking the switch under \textbf{Enabled}. 
The system will periodically check whether the intermediate certificate has expired. 
If the intermediate certificate expires, the system will automatically set the status of the intermediate certificate to disable. 
You can search intermediate certificates based on ID, Source Website, Issuer, Common Name, and Certificate Fingerprint, or the combination. 
Enter search conditions in the search bar and click the search icon.

%\pdfbookmark[2]{SSL Fingerprint}{SSL Fingerprint}
\subsection*{\hypertarget{link:SSL Fingerprint}{SSL Fingerprint}}
\addcontentsline{toc}{subsection}{SSL Fingerprint}
\label{sec:decrypt:certificate:fingerprint}

You can use shared JA3 hash across the network to help accurately identify Pinning applications and then configure the app to Dynamic Bypass or not accordingly in TSG. 


It is hard to determine a JA3 hash belongs to a Pinning App, but TSG can determine an app is Not Pinning by successful decryption. 
And It is relatively easy to collect JA3 hash for Not Pinning Apps. Over time, more and more JA3 hashes of Not Pinning have been collected. 
If an SSL session exhibits Pinning characteristics and is not included in the collected JA3 hash of Not Pinning, it is more accurate than ever to tell the application is Pinning. 
If an SSL session exhibits Pinning characteristics and is included in the collected JA3 hash of Not Pinning, 
it is more accurate than ever to tell the APP is a browser without installed root certificate. To configure Dynamic Bypass or Intercept for Pinning Apps, see 
\hyperlink{link:Decryption Profile}{\color{linkblue}{Decryption Profile}}.


The overall process is as follows:

\begin{description}[leftmargin=0pt]
    \item
    \begin{enumerate}
        \setlength{\topsep}{0pt}
        \item The firewall collects JA3 hash through security event logs or session records. And you can view SSL.JA3 hash field and query by it in the specific logs page. 
        \item Analyze JA3 hash through TSG report. For example, you can create the following JA3 hash related reports. 
        \begin{enumerate}
            \item  In session records, perform top N statistics on JA3 hash according to different SNI numbers.
            \item  In security event logs, perform top N statistics on SNI according to the number of unique JA3 hash.
            \item  In security event logs, perform top N on the JA3 hash and SNI combination according to transmitted bytes.
            \item  According to the number of unique JA3 hash, in Security Events or session records, perform top N statistics on Client IP or Internal IP.
        \end{enumerate}
        \item TSG administrator imports JA3 hashes that meet the requirements in the report analysis result into the DB through the TSG interface.
    \end{enumerate}
\end{description} 

Perform the following steps to create an SSL fingerprint:

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Fingerprint}, and click \textbf{Create}.
    \item[STEP 2.]	Add a \textbf{JA3 Hash}. 
    \item[STEP 3.]	Select Yes or No for \textbf{Pinning}.
    \item[STEP 4.]	(\textcolor{gold}{Optional})Enter a \textbf{Description}. The description can have up to 1024 characters. 
    \item[STEP 5.]	Click \textbf{OK}.
\end{description} 

Go back to the SSL Fingerprint tab. You can view detailed information about the SSL Fingerprint list you just created. 
To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. 
You can search fingerprint list based on ID and JA3 Hash. Click the Import or Export icon on the right to import or export CSV file for SSL fingerprint. 
You can also upload User-Agent using JSON formats. The User-Agent string is often used for content negotiation, 
where the origin server selects suitable content or operating parameters for the response. 
The concept of content tailoring is built into the HTTP standard in RFC1945 “for the sake of tailoring responses to avoid particular user agent limitations.” 
The information in the User-Agent string contributes to the information that the client sends to the server, since the string can vary considerably from user to user.

%\pdfbookmark[1]{Proxy Profiles}{Proxy Profiles}
\section*{\hypertarget{link:Proxy Profiles}{Proxy Profiles}}
\addcontentsline{toc}{section}{Proxy Profiles}
\label{sec:decrypt:profile}

A policy rule combines several conditions and one action. The action determines how to control the traffic, and action parameters are managed in policy profiles. 
While policy objects enable you to identify traffic to enforce policies, policy profiles help you define further action.

%\pdfbookmark[2]{Response Pages}{Response Pages}
\subsection*{\hypertarget{link:Response Pages}{Response Pages}}
\addcontentsline{toc}{subsection}{Response Pages}
\label{sec:decrypt:profile:response}

When the Proxy Policy or Security Policy terminates matched HTTP session with a response page in Deny action, 
you can specify a Response Code and a Response Content to generate an error page 
or you could upload a HTML file via \textbf{Proxy Profile} > \textbf{Response Pages}.

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Response Pages} tab, and click \textbf{Create}.
    \item[STEP 2.]	Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters.
    \item[STEP 3.]	Please Upload a \textbf{File}. Allow html/htm format only. 
\end{description} 

Go back to the Response Pages tab. You can view detailed information about the page you just created. 
To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. 
To download it, you can click the cloud icon under \textbf{File}, and wait a few seconds to download the file to your local folder. 
You can search page list based on ID and Name. Enter search conditions in the search bar and click the search icon.

%\pdfbookmark[2]{Insert Scripts}{Insert Scripts}
\subsection*{\hypertarget{link:Insert Scripts}{Insert Scripts}}
\addcontentsline{toc}{subsection}{Insert Scripts}
\label{sec:decrypt:profile:insert}

The Proxy Policy can insert “js” or “CSS” scripts to webpages. You can upload a script via \textbf{Proxy} > \textbf{Insert Scripts}.

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Insert scripts}, and click \textbf{Create}.
    \item[STEP 2.]	Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters.
    \item[STEP 3.]	Please Upload a \textbf{Script}. Allow js” and “CSS” only.
    \item[STEP 4.]	Select a \textbf{Script Type} from the drop-down.     
\end{description}    

Go back to the Insert Scripts tab. You can view detailed information about the scripts you just created. 
To edit and delete, find the item you want to edit or delete in the list. 
Click \textbf{Edit} or \textbf{Delete} at the top left. To download it, you can click the cloud icon under \textbf{File}, 
and wait a few seconds to download the file to your local folder. 
You can search scripts list based on ID and Name. Enter search conditions in the search bar and click the search icon.

%\pdfbookmark[2]{Hijack Files}{Hijack Files}
\subsection*{\hypertarget{link:Hijack Files}{Hijack Files}}
\addcontentsline{toc}{subsection}{Hijack Files}
\label{sec:decrypt:profile:hijack}

The Proxy Policy can hijack a downloading file or page. You can upload a file, img or html for hijack via \textbf{Proxy} > \textbf{Hijack Files}.

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Hijack Files}, and click \textbf{Create}.
    \item[STEP 2.]	Add a \textbf{Name}. The name is case-sensitive and can have up to 64 characters.
    \item[STEP 3.]	Please Upload a \textbf{File}. Allow img, exe, apk, and html type only.
    \item[STEP 4.]	Enable Mirror Server Response or enter a \textbf{Download Name}. 
    \item[STEP 5.]	Select a \textbf{File Type}. 
\end{description} 

\notemark\textit{Note that the Maximum Limitation is 20MB for your uploaded file.}


Go back to the Hijack Files tab. You can view detailed information about the file you just created. To edit and delete, find the item you want to edit or delete in the list. 
Click \textbf{Edit} or \textbf{Delete} at the top left. To download it, you can click the cloud icon under File, and wait a few seconds to download the file to your local folder. 
You can search the file list based on ID and Name. Enter search conditions in the search bar and click the search icon.

%\pdfbookmark[2]{Traffic Mirror Profiles}{Traffic Mirror Profiles}
\subsection*{\hypertarget{link:Decryption Mirror Profiles}{Decryption Mirror Profiles}}
\addcontentsline{toc}{subsection}{Decryption Mirror Profiles}
\label{sec:decrypt:profile:mirror}

You also can mirror proxied traffic (decrypted) to third-party servers by referring to a traffic mirror profile. 
The destination servers are described with VLAN Tag or MAC addresses. Traffic will be load-balanced over multiple servers of one profile.


You can manage the profile by the following procedure:

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Decryption Mirror Profiles} tab, and click \textbf{Create}.
    \item[STEP 2.]	Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters.
    \item[STEP 3.]	Select VLAN or MAC as your \textbf{Connectivity} from the drop-down.
    \item[STEP 4.]	Enter \textbf{VLAN ID/MAC}. Make sure to input a valid mirror destination MAC address. 
\end{description} 
Go back to the Traffic Mirror Profiles tab. You can view detailed information about the profile you just created. 
To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. 
You can search the profile list based on ID and Name. Enter search conditions in the search bar and click the search icon.

%\pdfbookmark[2]{Decryption Profile}{Decryption Profile}
\subsection*{\hypertarget{link:Decryption Profile}{Decryption Profile}}
\addcontentsline{toc}{subsection}{Decryption Profile}
\label{sec:decrypt:profile:decryptionprofile}

A Decryption Profile includes three parts: Certificate Checks, Dynamic bypass, and Protocol Version. 

%\pdfbookmark[3]{Certificate Checks}{Certificate Checks}
\subsubsection*{\hypertarget{link:Certificate Checks}{Certificate Checks}}
\addcontentsline{toc}{subsubsection}{Certificate Checks}
\label{sec:decrypt:profile:decryptionprofile:check}

Server certificate verification options allow you to customize certificate check approaches.


\textbf{Common Name}: TSG checks if the client hello’s SNI extension matches the CN and SAN of the certificate.


\textbf{Issuer}: TSG checks the certificate chain if the issuer is a trusted certificate authority list. See Certificate Managements > Trusted Certificate Authorities > Built-in for a complete list.


\textbf{Self-signed}: TSG checks if a certificate is self-signed.


\textbf{Expiry Date}: TSG checks if a certificate is expired with the system clock.


\textbf{Fail Action}: If the certificate is considered invalid, the proxy will take the fail action:

\begin{itemize}
    \item \textbf{Fail-Close}: Terminate the SSL session by close the TCP connection.
    \item \textbf{Pass-through}: For expired, untrusted issuer or self-signed certificate, TSG sends a certificate signed by 
    the default untrusted keyring to the client-side. Thus, the client-side browser raises an untrusted issuer warning. 
    For mismatched common names, TSG sends a certificate signed by policy-defined keyring, client-side browser raises a common name invalid warning.
\end{itemize}

%\pdfbookmark[3]{Dynamic Bypass}{Dynamic Bypass}
\subsubsection*{\hypertarget{link:Dynamic Bypass}{Dynamic Bypass}}
\addcontentsline{toc}{subsubsection}{Dynamic Bypass}
\label{sec:decrypt:profile:decryptionprofile:bypass}

Dynamic bypass options allow you to customize intercept exceptions on a policy basis. 
If an SSL session matches an intercept policy and has one of the following enabled properties, further communication will be exempt from interception. 
That is to say, with dynamic bypass enabled, the client-side can visit normally.


\textbf{EV Certificate}: An Extended Validation (EV) Certificate is a certificate used for HTTPS websites and software that proves the legal entity controlling the website or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority.


\textbf{Certificate Transparency}: Certificate Transparency (CT) is an internet security standard and open-source framework for monitoring and auditing digital certificates.


\textbf{Mutual Authentication}: Mutual authentication is a process or technology in which both entities in a communications link authenticate each other. 
The server sends a client certificate request, and the client must respond with a valid certificate. 
The proxy could not intercept SSL sessions with mutual authenticated, and these sessions will be blocked when this option is disabled.


\textbf{On Protocol Errors}: Protocol errors are unsupported ciphers, communication exceptions, etc., enable this option will increase network availabilities. 


\textbf{Certificate Pinning}: The application knows the server certificate by hard-coding and can then ignore the device’s trust store and rely on its own. 
The proxy detects pinning by client alert and SSL handshake errors. 
The proxy can also determine whether the current connection is Pinning through the SSL fingerprint profile. 
The SSL Fingerprint profile will be checked in advance. The proxy could not intercept SSL sessions with certificate pinning; otherwise, 
these sessions will be blocked when this option is disabled.
For more details, see \textbf{\hyperlink{link:Dynamic Bypass when Certificate Pinning}{\color{linkblue}{Dynamic Bypass when Certificate Pinning}}}.


\textbf{Certificate Not Installed}: Trusted Root Certificate is Not Installed on Client.  
For more details, see \textbf{\hyperlink{link:Dynamic Bypass when Certificate is Not Installed}{\color{linkblue}{Dynamic Bypass when Certificate is Not Installed}}}.

%\pdfbookmark[4]{Dynamic Bypass when Certificate Pinning}{Dynamic Bypass when Certificate Pinning}
\hypertarget{link:Dynamic Bypass when Certificate Pinning}{\paragraph{Dynamic Bypass when Certificate Pinning}}
\addcontentsline{toc}{paragraph}{Dynamic Bypass when Certificate Pinning}
\label{sec:decrypt:profile:decryptionprofile:bypass:pinning}

%\newline
Certificate pinning is the process of a client check the server certificate with its pre-configured certificate list, 
if the server certificate does not match then the client will prevent the session from taking place. 
This enforcement ensures that the user devices are communicating only to the dedicated trustful servers. 
Applications, such as Facebook, Twitter and Apple App store utilize certificate pinning approach.


For an SSL proxy to decrypt and re-encrypt traffic to enforce a proxy policy, it needs to replace the server certificate sent by the server to the client. 
Once it has intercepted the server certificate it will replace the server certificates with keyring signed ones. 
If a site works in a browser but not in an app on the same device, you are almost certainly looking at an instance of certificate pinning.


In reality, MITM applications of certificate pinning will block their communications. 
Alternatively, you can configure SSL Proxy to automatically bypass the next connection when the first N attempts to establish a connection fails.


The following behaviors are indications of application use certificate pinning:

• The proxy received an SSL ALERT Message from the client during the SSL handshake. The Alert is usually an “Unknown CA (48)” alert indicating Certificate Pinning.


• The proxy received no alerts; instead, it received a TCP reset after the handshake is done.


If the SSL connection establishment fails as above for 4 or more times in 5 minutes, the proxy will consider it as certificate pinning. 
Following attributes will be recorded for bypassing further connections:


• Client IP address


• Server Name Indicator (SNI) of SSL handshake message, if any


• SSL fingerprints, e.g. cipher suites of SSL handshake message


Different applications often have different handshake fingerprints, and therefore the proxy will only bypass those who use certificate pinning. 

%\pdfbookmark[4]{Dynamic Bypass when Certificate is Not Installed}{Dynamic Bypass when Certificate is Not Installed}
\hypertarget{link:Dynamic Bypass when Certificate is Not Installed}{\paragraph{Dynamic Bypass when Certificate is Not Installed}}
\addcontentsline{toc}{paragraph}{Dynamic Bypass when Certificate is Not Installed}
\label{sec:decrypt:profile:decryptionprofile:bypass:notinstalled}

%\newline
As a best practice, the trusted root certificate certificates should be installed on clients to ensure that the browsers/apps perform the certificate checks to 
validate the proxy's identity before establishing a connection. When a client does not install the trusted root certificate, intercept its SSL connection will be failed.


The challenge is the behavior of certificate not installed is very similar to certificate pinning. 
The proxy determines whether the current connection is Not Pinning by querying the SSL fingerprint profile. 
When an SSL connection fails like certificate pinning, and its fingerprint status is Not Pinning, the application is not considered as certificate pinning. 
Following figure shows the process.


You can configure SSL Proxy to automatically bypass those applications, or alternatively, still intercept to make the client install the trusted root certificate.


Let’s dig into the technical details by a use case. There are two clients, client A and B, who reside in our network. 
They shared the same Ipv4 address (NAT), where client A has a trusted root certificate installed and uses the Facebook app (pinning); 
client B has no root certificate installed and uses Chrome to visit the Facebook website (not pinning). With dynamic bypass configuration:


• Certificate Pinning: Enabled


• Certificate Not Installed: Disabled


At the beginning, both Client A and B’s SSL connections are failed for their own reasons. And then, the proxy identifies client B’s SSL connection as MITMable by finding Chrome’s SSL fingerprints status is Not Pinning in the SSL fingerprint profile. Finally, Client A is bypassed, and client B is not.

%\pdfbookmark[3]{Protocol Version}{Protocol Version}
\subsubsection*{\hypertarget{link:Protocol Version}{Protocol Version}}
\addcontentsline{toc}{subsubsection}{Protocol Version}
\label{sec:decrypt:profile:decryptionprofile:version}

Protocol Version allows you to configure SSL/TLS version. By default, Proxy mirrors the client versions. 
Some websites disable SSLv3 supports for security concerns; setting both minimum and maximum versions to SSLv3 will interrupt communications.


HTTP/2 is a major revision of the HTTP network protocol that provides increased speed. 
If Allow HTTP/2 is enabled, the user will have better experience, but requires third-party systems to process decrypted HTTP/2 traffic.

%\pdfbookmark[3]{Create a Decryption Profile}{Create a Decryption Profile}
\subsubsection*{\hypertarget{link:Create a Decryption Profile}{Create a Decryption Profile}}
\addcontentsline{toc}{subsubsection}{Create a Decryption Profile}
\label{sec:decrypt:profile:decryptionprofile:create}

Perform the following to create a decryption profile:

\begin{description}
    \item[STEP 1.]	Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Decryption Profile}, and click \textbf{Create}.
    \item[STEP 2.]	Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters.
    \item[STEP 3.]	Enable or disable the following certificate checks: \textbf{Common Name}, \textbf{Issuer}, \textbf{Self-signed} and \textbf{Expiry Date}. If you enable Common Name, select Fail-close or Pass-through as your \textbf{Fail Action}. 
    \item[STEP 4.]	Enable or disable the following Dynamic bypass: \textbf{EV Certificate}, \textbf{Certificate Transparency}, \textbf{Mutual Authentication}, \textbf{On Protocol Errors}, \textbf{Certificate Pinning}, \textbf{Certificate Not Installed}.
    \item[STEP 5.]	Enable or disable the following Protocol Versions: \textbf{Mirrors Client Versions}, \textbf{Allow HTTP/2}. If you disable Mirrors Client Versions, you must select the Min and Max versions from SSLv3.0, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3.
\end{description} 

Go back to the Decryption Profile tab. You can view detailed information about the profile you just created. To edit and delete, find the item you want to edit or delete in the list. 
Click \textbf{Edit} or \textbf{Delete} at the top left. You can search the profile list based on ID and Name. Enter search conditions in the search bar and click the search icon.