Skip to content

Add a decryption profile

Decryption profiles enable you to enforce decryption settings on SSL/TLS connections.


Android devices are known to generate SSL/TLS certificate errors, causing decryption to fail. We recommend creating an SSL/TLS exclusion list for all Android devices.

  1. Go to Profiles > Decryption profiles and click Add.
  2. Enter a name.
  3. Add a description.
  4. Specify the re-signing certificate authority for SSL/TLS connections intercepted by Sophos Firewall.

    Re-signing certificates must be trusted by the endpoint devices. If they aren’t, browsers will show a warning and may refuse to complete the connection.


    Under most circumstances, this requires the installation of copies of the certificates in the browsers or the operating system certificate stores of the endpoint devices. Alternatively, you can create and use signing certificates that are subordinate to an existing trusted enterprise CA for your organization. It isn’t possible to obtain signing certificates from CAs already trusted by operating systems or browsers.

    Most certificate authorities use certificates with either RSA or Elliptic Curve (EC) encryption keys. In most situations, certificates of one type can be signed by certificate authorities of the other, allowing you to use the same CA for both. If you encounter problems with applications that expect certificates of only one type, you can add an EC key and use it for re-signing certificates that were originally signed by an EC-based authority. If you add a second CA, ensure that it is trusted by all endpoint devices.

    Name Description
    Use CAs defined in SSL/TLS settings Uses the certificate authority specified in SSL/TLS inspection settings.
    Re-sign RSA with Used when the website’s certificate was signed using RSA.

    You can specify an EC or RSA certificate.
    Re-sign EC with Used when the website’s certificate was signed using EC.

    You can specify an EC or RSA certificate.
  5. Specify the action for non-decryptable traffic, such as insecure protocol versions, occurrences, and cipher suites.

    Name Description
    SSL 2.0 and SSL 3.0 Allowing these connections lowers security.
    SSL compression Compression before encryption has known vulnerabilities.
    When SSL/TLS connections exceed limit Applies to excess traffic when volume exceeds the decryption capability of the firewall.

    To see the decryption limit, go to Control center and select the SSL/TLS connections widget.
    Unrecognized cipher suites Firewalls can't decrypt traffic using unrecognized cipher suites. Using unrecognized cipher suites lowers security.

    Action for non-decryptable traffic:

    • Use SSL/TLS settings default: Applies the action specified in SSL/TLS inspection settings. This option doesn’t apply to unrecognized cipher suites.
    • Allow without decryption
    • Drop: Drops without notifying the source.
    • Reject: Drops and sends a connection reset message to the source host.


    Sophos Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and Unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection rules.

    To allow these connections, create a decryption profile set to Allow without decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't decrypt.

  6. Specify the certificate, protocol, and cipher enforcement details.

    Name Description
    Certificate errors to block Select the certificate errors.
    Sophos Firewall blocks connections that have the specified errors.
    • Invalid date - Self-signed
    • Untrusted user - Revoked: You must import a certificate revocation list (CRL) for this feature to work.
    • Name mismatch: Checks that the server name requested in the Client Hello matches the domain names represented by the certificate.
    • Invalid for other reasons

    If you created an exception for HTTPS decryption in Web > Exceptions, Sophos Firewall allows traffic with invalid certificates if the traffic matches the exception criteria.
    Minimum RSA key size Select a minimum key length.

    Keys less than 2048 bits are no longer considered secure. Allow them only if it's necessary to ensure compatibility with older servers that can't be upgraded.
    Minimum SSL/TLS version Select the minimum protocol version to allow.

    Versions earlier than TLS 1.2 are no longer considered secure. Allow them only if it's necessary to ensure compatibility.
    Maximum SSL/TLS version Select the maximum protocol version to enforce.

    To implement the latest available version, select Maximum supported. When a later protocol version becomes available, Sophos Firewall will implement that version automatically.
    Cipher algorithms to block Select the key exchange, authentication mechanism, bulk ciphers, and hash algorithms to block.
    Block action Select the action to apply.
    • Drop: Drops without notifying the source.
    • Reject: Drops and sends a connection reset message to the source host.
    • Reject and notify: Establishes the connection but prevents any data transfer with the server. For HTTPS connections, attempts to display a block page with the error reason to the user.

    For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to do the following:

    • Block certificate errors and apply the minimum RSA key size specified in decryption profiles.
    • Apply the block action Reject and notify specified in the decryption profile. If you apply such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, Sophos Firewall applies the block action Reject.
    • Click Save.

Go to Rules and policies > SSL/TLS inspection rules and add the decryption profile to a rule to specify the action.

More resources