Adding exclusions for SSL Bumping

These instructions are applicable if Kaspersky Web Traffic Security was installed from an RPM or DEB package to an existing operating system. If Kaspersky Web Traffic Security was deployed from an ISO file, you cannot edit the configuration files of the built-in proxy server.

You may need to add exclusions for SSL Bumping in the following cases:

• Software uses a protocol other than HTTPS (such as SSH, RDP, or VPN).
• Software or web resource uses the WebSockets or HTTP/2.0 protocol.
• National encryption algorithms (such as GOST or SM2) are being used to access a web resource.
• Software uses server certificate pinning.
• Software or web resource requires authorization based on the client SSL certificate.

To add exclusions for SSL Bumping:

1. Create a file named /etc/squid/donotbump.list containing a list of domain names of the web resources and hosts that you want to add to exclusions.

   Each domain name must be listed on a new line.

   To add a domain with all its subdomains to exclusions, put a dot at the beginning of the value (for example, .domain.com).

2. Add the following directives to the configuration file /etc/squid/squid.conf:

   acl do_not_bump dstdomain "/etc/squid/donotbump.list"

   ssl_bump splice do_not_bump

   These strings must be added before the final directive ssl_bump stare all.

3. Restart the Squid service. To do so, execute the command:

   service squid restart

The SSL Bumping exclusions will be added.

Page top