SSL/TLS inspection settings
With SSL/TLS inspection settings, you can specify the default settings to enforce secure protocol versions and occurrences.
You can specify the re-signing certificate authorities to sign SSL/TLS server certificates after Sophos Firewall intercepts, decrypts, and inspects secure traffic. You can specify the settings to drop or reject non-decryptable traffic, which includes insecure protocol versions and occurrences, such as SSL compression and connections that exceed the decryption capabilities of the firewall. You can downgrade TLS 1.3 to TLS 1.2 connections if you face issues using TLS 1.3.
The settings apply to all SSL/TLS inspection rules. You can override some SSL/TLS inspection settings by adding individual decryption profiles to inspection rules.
Go to Rules and policies > SSL/TLS inspection rules and select SSL/TLS inspection settings.
Re-signing certificate authorities
Specify the re-signing certificate authority for SSL/TLS connections intercepted by Sophos Firewall. The decryption profile attached to an SSL/TLS inspection rule can override these actions for the rule.
Re-signing certificates must be trusted by the endpoint devices. If they aren’t, browsers will show a warning and may refuse to complete the connection.
Under most circumstances, this requires the installation of copies of the certificates in the browsers or the operating system certificate stores of the endpoint devices. Alternatively, you can create and use signing certificates that are subordinate to an existing trusted enterprise CA for your organization. It isn’t possible to obtain signing certificates from CAs that are already trusted by operating systems or browsers.
Most certificate authorities use certificates with either RSA or Elliptic Curve (EC) encryption keys. In most situations, certificates of one type can be signed by certificate authorities of the other, allowing you to use the same CA for both. If you encounter problems with applications that expect certificates of only one type, you can add an EC key and use it for re-signing certificates that were originally signed by an EC-based authority. If you add a second CA, ensure that it is trusted by all endpoint devices.
|Re-sign RSA with||Used when the website’s certificate was signed using RSA. You can specify an EC or RSA certificate.|
|Re-sign EC with||Used when the website’s certificate was signed using EC. You can specify an EC or RSA certificate.|
Specify the action for the traffic we won't decrypt, such as insecure protocol versions and occurrences. The decryption profile attached to an SSL/TLS inspection rule can override these actions for the rule.
|SSL 2.0 and SSL 3.0||Allowing these connections lowers security.|
|SSL compression||Compression before encryption has known vulnerabilities.|
|When SSL/TLS connections exceed limit||Applies to excess traffic when volume exceeds the decryption capability of the firewall. |
To see the decryption limit, go to Control center and select the SSL/TLS connections widget.
Select the action for the traffic we won't decrypt:
- Allow without decryption
- Drop: Drops without notifying the source.
- Reject: Drops and sends a connection reset message to the source host.
Sophos Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and Unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection rules.
To allow these connections, create a decryption profile set to Allow without decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't decrypt.
TLS 1.3 compatibility
TLS 1.3 decryption
Select the action.
- Decrypt as 1.3
- Downgrade to TLS 1.2 and decrypt: Some servers and clients haven’t implemented TLS 1.3 yet. Select this option if you experience issues using TLS 1.3.
Attackers can exploit vulnerabilities during the downgrade. Selecting the downgrade option applies the setting to all SSL/TLS inspection rules.
For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to do the following:
- Apply the TLS compatibility setting Downgrade to TLS 1.2 and decrypt specified in SSL/TLS general settings.
- Block certificate errors and apply the minimum RSA key size specified in decryption profiles.
- Apply the block action Reject and notify specified in the decryption profile. If you apply such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, Sophos Firewall applies the block action Reject.
SSL/TLS engine: Disable the engine only when you want to troubleshoot. Once you complete troubleshooting, enable it again.
When you disable the engine, Sophos Firewall won't apply SSL/TLS inspection rules, and the DPI engine won't apply the web policy specified in firewall rules to HTTPS traffic. However, this does not affect HTTPS decryption by the web proxy when web proxy filtering is configured in firewall rules.