Operation: Add Decryption Profile / Update Decryption Profile
Description: Add a Decryption Profile.Update a Decryption Profile. 

Sample Configuration
<DecryptionProfile> <Name>Name</Name> <NewName>Edited Name</NewName> <Description>Description</Description> <IsDefault>yes/no</IsDefault> <UseDefaultCAs>yes/no</UseDefaultCAs> <RSACA>CA Name</RSACA> <ECCA>CA Name</ECCA> <BlockInvalidDate>yes/no</BlockInvalidDate> <BlockUntrustedIssuer>yes/no</BlockUntrustedIssuer> <BlockSelfSigned>yes/no</BlockSelfSigned> <BlockRevoked>yes/no</BlockRevoked> <BlockNameMismatch>yes/no</BlockNameMismatch> <BlockOtherReasons>yes/no</BlockOtherReasons> <MinRSAKeySize>No minimum/1024/2048</MinRSAKeySize> <MinTLSVersion>TLS v1.0/TLS v1.1/TLS v1.2/TLS v1.3</MinTLSVersion> <MaxTLSVersion>TLS v1.0/TLS v1.1/TLS v1.2/TLS v1.3/Maximum supported</MaxTLSVersion> <BlockAction>Drop/Reject/Reject and notify</BlockAction> <UnrecognizedCiphers>Allow without decryption/Drop/Reject</UnrecognizedCiphers> <SSLConnectionsExceeded>Use SSL/TLS settings default/Allow without decryption/Drop/Reject</SSLConnectionsExceeded> <SSLv2SSLv3>Use SSL/TLS settings default/Allow without decryption/Drop/Reject</SSLv2SSLv3> <SSLCompression>Use SSL/TLS settings default/Allow without decryption/Drop/Reject</SSLCompression> <BlockedAlgorithmList> <KeyExchangeAlgorithm>RSA</KeyExchangeAlgorithm> : <AuthenticationAlgorithm>DSA</AuthenticationAlgorithm> : <BlockAndStreamCipher>RC4</BlockAndStreamCipher> : <HashAlgorithm>MD5</HashAlgorithm> : </BlockedAlgorithmList> </DecryptionProfile>



Parameter Mandatory Default Description
NameYes  
Specify a name for the Decryption Profile.
Name confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Character not allowed: Comma (,)
  • Maximum characters allowed are 60.
  • UTF-8 character(s) are allowed.
DescriptionNo  
Specify a description for the Decryption Profile.
Description confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 255.
IsDefaultNo no 
Read-only field specifying if it's a default decryption profile.
UseDefaultCAsNo yes 
Enable to use CAs specified in TLS/SSL settings for re-signing.
UseDefaultCAs confines to:
  • Type is 'SCALAR'.
  • Only 'yes', 'no', 'true', 'false' are allowed.
RSACANo  
Select the RSA CA for re-signing.
ECCANo  
Select the EC CA for re-signing.
BlockInvalidDateNo no 
Enable to block certificates with an invalid date.
BlockInvalidDate confines to:
  • Type is 'SCALAR'.
  • Only 'yes', 'no', 'true', 'false' are allowed.
BlockUntrustedIssuerNo no 
Enable to block certificates with an untrusted issuer.
BlockUntrustedIssuer confines to:
  • Type is 'SCALAR'.
  • Only 'yes', 'no', 'true', 'false' are allowed.
BlockSelfSignedNo no 
Enable to block self-signed certificates.
BlockSelfSigned confines to:
  • Type is 'SCALAR'.
  • Only 'yes', 'no', 'true', 'false' are allowed.
BlockRevokedNo no 
Enable to block revoked certificates.
BlockRevoked confines to:
  • Type is 'SCALAR'.
  • Only 'yes', 'no', 'true', 'false' are allowed.
BlockNameMismatchNo no 
Enable to block certificates with mismatched names.
BlockNameMismatch confines to:
  • Type is 'SCALAR'.
  • Only 'yes', 'no', 'true', 'false' are allowed.
BlockOtherReasonsNo no 
Enable to block certificates with other errors.
BlockOtherReasons confines to:
  • Type is 'SCALAR'.
  • Only 'yes', 'no', 'true', 'false' are allowed.
MinTLSVersionNo TLS v1.0 
Select minimum allowed SSL/TLS version.
MaxTLSVersionNo Maximum supported 
Select maximum allowed SSL/TLS version.
BlockActionNo Reject and notify 
Specify the block action for the Decryption Profile.
BlockAction confines to:
  • Type is 'SCALAR'.
  • Only 'Drop', 'Reject', 'Reject and notify' are allowed.
UnrecognizedCiphersNo Allow without decryption 
Specify the action for unrecognized cipher suites.
UnrecognizedCiphers confines to:
  • Type is 'SCALAR'.
  • Only 'Allow without decryption', 'Drop', 'Reject' are allowed.
SSLConnectionsExceededNo Use SSL/TLS settings default 
Specify the action for exceeded SSL connections.
SSLConnectionsExceeded confines to:
  • Type is 'SCALAR'.
  • Only 'Use SSL/TLS settings default', 'Allow without decryption', 'Drop', 'Reject' are allowed.
SSLv2SSLv3No Use SSL/TLS settings default 
Specify the action to be used for SSL 2.0 and SSL 3.0.
SSLv2SSLv3 confines to:
  • Type is 'SCALAR'.
  • Only 'Use SSL/TLS settings default', 'Allow without decryption', 'Drop', 'Reject' are allowed.
SSLCompressionNo Use SSL/TLS settings default 
Specify the action for connections using SSL compression.
SSLCompression confines to:
  • Type is 'SCALAR'.
  • Only 'Use SSL/TLS settings default', 'Allow without decryption', 'Drop', 'Reject' are allowed.
KeyExchangeAlgorithmNo  
Specify blocked key exchange algorithms the profile contains.
AuthenticationAlgorithmNo  
Specify blocked authentication algorithms the profile contains.
BlockAndStreamCipherNo  
Specify blocked block and stream cipher algorithms the profile contains.
HashAlgorithmNo  
Specify blocked hash algorithms the profile contains.
MinRSAKeySizeNo 1024 
Specify the minimum allowed RSA key size.
MinRSAKeySize confines to:
  • Type is 'SCALAR'.
  • Only 'No minimum', '1024', '2048' are allowed.
NewNameNo  
Edit the name for the Decryption Profile.



Operation   Status   Message
Add Decryption Profile200
Add Decryption Profile500
Add Decryption Profile502
Add Decryption Profile522
Update Decryption Profile200
Update Decryption Profile500

© Copyright 2019 Sophos Firewall Limited. All rights reserved.
Sophos Firewall is registered trademarks of Sophos Firewall Limited and Sophos Firewall Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.