sslmediate - Manage the SSL mediation
[1] sslmediate [transparent [(on | off)]]
[2] sslmediate [(expired | premature | selfsigned) [(on | off)]]
[3] sslmediate policy [(allow | deny)]
[4] sslmediate exception [domainname [(add | del) <domain-name> | raz]]
[5] sslmediate exception [urllist [(add | del) <urllist-name> | raz]]
The SSL mediation allows you to decrypt HTTPS traffic at the gateway point in order to cache, inspect its contents and possibly block unwanted contents. The sslmediate command is used to configure the SSL mediation at the gateway point.
The first [1] usage form allows you to activate or deactivate the transparent SSL mediation. When the transparent mode is turned off the proxy IP address and its port number must be set at the client side (Firefox, Chrome...) for HTTPS. When the transparent mode is turned on this setting is not required as long as HTTPS traffic are routed via the appliance.
The second [2] usage form allows you to configure the tolerance of the system to allow or deny some errors in original certificates transmitted by HTTPS servers. The following errors can be allowed or denied at the gateway level:
• expired: the certificate has expired and is no longer valid.
• premature: the certificate is not yet valid because its validity period is in the future.
• selfsigned: the certificate is self signed or an intermediary certificate used to sign it is self signed (not signed by a know CA: Certificate Authority).
To allow an error use the keyword on. To deny an error use the keyword off.
The third [3] usage form allows you to configure the SSL mediation policy. In this way the gateway can bypass the SSL mediation for some websites (deny policy) or only act as an SSL mediator for some given websites (allow policy). The fourth [4] and fifth [5] usage form are used to define domain name exceptions to be treated or bypassed by the SSL mediation. Please note that exception lists can’t contain a domain name and one of its sub domains at the same time. In such a case sub domains are simply ignored.
To add a domain name to the list of exceptions use the keywords domain add followed by the domain name. To add a URL list of domain names (see the command urllist) use the keywords urllist add followed by the URL list name (as defined by the command urllist). To delete an entry use keyword del instead on add. To completely erase the exception list use the keyword raz.
CAUTION: please note that as HTTPS aims to give users privacy and security, its decrypting in the middle (before reaching the final client) may violate ethical norms and should be used with caution.
apply (1) mode (1) tls (1) transparent (1) urllist (1)
CacheGuard Technologies Ltd <www.cacheguard.com>
Send bug reports or comments to the above author.
Copyright (C) 2009-2024 CacheGuard - All rights reserved