This article applies to:
- WebMarshal 6.1 and above
- Note changes at version 7.3, 6.12, and 6.11
- HTTPS Content Inspection
- SSL/TLS version settings
Question:
- How does WebMarshal HTTPS content inspection affect SSL/TLS settings?
Information:
SSL (secure sockets layer) and TLS (Transport Layer Security) are the protocols that allow web browsers and web sites to communicate securely using HTTPS.
The following versions of SSL/TLS algorithms are currently supported by WebMarshal:
- SSLv2 (the original protocol, less secure and now deprecated)
- SSLv3 (also considered less secure)
- TLSv1.0
- TLSv1.1 (WebMarshal 6.11 and above)
- TLSv1.2 (WebMarshal 6.11 and above)
- TLSv1.3 (WebMarshal 7.3 and above)
When a web browser connects to a site using HTTPS, the browser and the site negotiate an encryption algorithm, based on the algorithms that they share (usually the most secure available). This algorithm is used to create the encrypted connection.
- Some recent security standards (such as the US Government FIPS) require use of TLSv1.0 (or above).
- All recent web browsers support the latest TLS versions.
- Some recent web browsers have completely disabled support for SSLv2.
- Internet Explorer 6 has disabled support for TLSv1 by default.
How WebMarshal affects SSL
When WebMarshal HTTPS Content Inspection is enabled, two secure connections are required: one between the browser and WebMarshal, and another between WebMarshal and the web site. These connections are negotiated separately. WebMarshal supports all three algorithms.
If a remote site does not support the strongest algorithms, by default WebMarshal will use any available algorithm. The algorithm used is not reported to the browser. Therefore, even if a user sets their browser to refuse SSLv2, the Internet connection through WebMarshal could still be using SSLv2.
WebMarshal SSL Options
You can configure WebMarshal HTTPS rules to accept or refuse a SSL protocol (using the rule condition "Where the security protocol is". WebMarshal can warn a user, or block a connection, if a lower security algorithm is in use.
If SSL security is important to your organization, and you are using WebMarshal HTTPS inspection, you should configure WebMarshal rules in support of your SSL security policy.
Change in version 7.3 and above
- TLSv1.3 is supported in 7.3 and above.
Change in version 6.12 and above
- SSLv2 is no longer supported through WebMarshal.
- All configuration options related to SSLv2 are removed from WebMarshal as of version 6.12.
- When HTTPS inspection is enabled, Trustwave recommends you use the rule condition "Where SSL/TLS could not be negotiated" to block any attempt to connect with SSLv2.
- A rule to block connections "Where SSL/TLS could not be negotiated" is created and enabled on new installation and on upgrade.
- SSLv3 is blocked by default as for version 6.11 (see below).
Change in version 6.11
When HTTPS Content Inspection is enabled, connections that use SSLv2 or SSLv3 are blocked by default regardless of rule conditions. To configure the list of SSL and TLS protocols that will be negotiated and allowed, see Trustwave Knowledge Base article Q20067.
Notes:
- When WebMarshal HTTPS Content Inspection is not enabled, or if HTTPS Content Inspection is not enabled for a particular site, the secure connection is made directly between the browser and the site. The settings in the browser control the protocols that are accepted.
- You can select TLS/SSL options for Internet Explorer from the IE Tools > Options > Advanced tab, Security section.