Decrypting TLS/SSL connections
December 13, 2023
This functionality is available only in an application deployed from an ISO image. When the application is installed from an RPM or DEB package, the administrator must configure decryption of TLS/SSL connections using the resources of the proxy server.
Users' computers may connect to web resources using unencrypted or encrypted connections. Kaspersky Web Traffic Security can scan both types of traffic. Unencrypted connections are scanned using standard traffic processing rules. To process encrypted traffic, you must configure decryption of TLS/SSL connections. If decryption is not configured, the application will not be able to apply all settings of access rules, or perform scans using the Anti-Virus and Anti-Phishing modules within the scope of protection rules.
In the documentation and in the web interface of the application, the term "SSL" is used as a well-established synonym for encryption (SSL connections, SSL rules). However, to establish encrypted connections, it is recommended to use the TLS version 1.2 protocol because the SSL protocol is outdated and unsafe.
Decryption of SSL connections consists of the following steps.
- Reading the special considerations for handling encrypted connections
- Adding a certificate for intercepting SSL connections
After adding one or multiple certificates, you must assign the active status to one of them. If no certificate is active, you cannot enable decryption of SSL connections.
- Enabling decryption of SSL connections
- Selecting the default action for SSL connections
The default action will be applied to SSL connections that do not meet the conditions of any SSL rule.
- Creating and configuring SSL rules
Using SSL rules, you can define the actions the application takes on SSL connections depending on the source or destination of the connection.
- Adding trusted certificates
The proxy server will assign the Trusted status to the security certificates of web resources to which the Bump action is applied.