Login
- Table of Contents
-
- H3C SecPath Security Products FAQ(V7)-6W100
- 00-Preface
- 01-System management and maintenance FAQ
- 02-Device forwarding FAQ
- 03-License management FAQ
- 04-RBM-based hot backup FAQ
- 05-NAT FAQ
- 06-User access and authentication FAQ
- 07-Attack detection and prevention FAQ
- 08-IPS FAQ
- 09-Anti-virus FAQ
- 10-URL filtering FAQ
- 11-File filtering FAQ
- 12-Bandwidth management FAQ
- 13-SSL VPN FAQ
- 14-IPsec FAQ
- 15-Load balancing FAQ
- 16-Mirroring FAQ
- 17-IRF FAQ
- 18-Security policy FAQ
- 19-Security zone FAQ
- 20-ASPF FAQ
- 21-PKI FAQ
- 22-APR FAQ
- 23-DPI FAQ
- 24-Application audit and management FAQ
- 25-Data filtering FAQ
- 26-Data analysis center FAQ
- 27-WAF FAQ
- 28-AFT FAQ
- 29-SSL decryption FAQ
- 30-NetShare control FAQ
- 31-FAQ on Intranet security comprehensive scoring (Security overview)
- 32-Web operations FAQ
- Related Documents
-
29-SSL decryption FAQ
SSL offloading (SSL decryption) FAQ
Q. What are restrictions of SSL offloading networking?
A. At present, SSL offloading supports only Layer 3 networking and does not support Layer 2 networking or interface pair networking (including bridge forwarding).
Q. What are restrictions of configuring SSL offloading?
A. In a security policy, you need to specify the source security zone as the local security zone in addition to binding interfaces to the source and destination security zones.
Q. How to identify whether an access has been SSL offloaded?
A. A simple way to identify whether an access has been SSL offloaded is to view certificate information displayed on the current browser. The method for viewing certificate information varies by browser. Typically, click the lock icon in the address bar of a browser to obtain certificate information from the drop-down menu. If an HTTPS access is SSL offloaded, the Issued by field will be replaced with the subject (the Issued to field) of the decryption certificate imported from the device.
Q. How to identify whether an IP address of an access is added to the IP address whitelist?
A. To resolve the issue:
1. In the CMD window, ping the currently accessed hostname to obtain the IP address of the server.
2. Use the display app proxy ssl whitelist ip all command to identify whether the output displays the IP address. If yes, the server address for this HTTPS connection is added to the IP address whitelist.
Q. How to identify whether the hostname of an access matches the hostname whitelist?
A. To resolve the issue:
1. Obtain certificate information from the current browser. Click the Details tab. Identify whether the certificate has the Subject Alternative Names field.
¡ If yes, the first DNS Name= field displays the hostname information of the current certificate.
¡ If not, continue to check subject information of the certificate, where the CN= field displays the hostname information.
¡ That is, the DNS Name= field takes precedence over the CN= field as the hostname of the certificate.
2. Identify whether a match is found on the SSL offloading hostname whitelist.
A match is found as long as the certificate hostname contains a string in the SSL offloading hostname whitelist, because fuzzy match is used for the whitelist to match a certificate hostname.
To view hostname whitelist information, execute the display app proxy ssl whitelist hostname predefined command or go to Policies > Application Proxy > Whitelist > Predefined Whitelist.
Q. How to disable the hostname whitelist?
A. To prevent traffic from matching the IP address whitelist after you disable the hostname whitelist, perform the following steps as instructed:
1. Use the undo app proxy ssl whitelist predefined hostname command to disable hostnames on the predefined SSL hostname whitelist, or select the hostnames to be disabled on the webpage.
2. Use the app proxy ssl whitelist activate command or click Submit on the Webpage to activate the configuration.
3. Use the reset app proxy ssl whitelist ip command to clear the SSL IP address whitelist.
Q. How to identify whether two-way authentication is used for an access?
A. SSL offloading does not support two-way authentication.
To identify whether two-way authentication is performed, capture packets on the device or PC side and check the SSL handshake process. If the server has sent a certificate request, two-way authentication is used for the current HTTPS connection.
