11.20. SSL Profiles

Using an SSL profile, you can specify SSL protocols or individual encryption and digital signature algorithms that can later be used in SSL inspection rules as well as web console, auth page, block page, and web portal settings.

To create an SSL profile, go to the Libraries --> SSL profiles section, click Add, and provide the desired settings:

Name

Description

Name

The name of the SSL profile.

Description

A description of the SSL profile.

SSL protocols

Min TLS version: sets the minimum TLS version that can be used with this profile.

Max TLS version: sets the maximum TLS version that can be used with this profile.

These two settings determine the TLS version range that will be supported by this profile.

Ciphers suites

In this section, you can choose the desired encryption and digital signature algorithms. The enumerated options are presented as strings listing the specific algorithm pairs. The administrator may choose to select only those algorithm pairs that they deem necessary for the secure operation of the organization. The supported combinations are:

  • TLS AES 128 CCM SHA256

  • TLS AES 128 GCM SHA256

  • TLS AES 256 GCM SHA384

  • TLS CHACHA20 POLY1305 SHA256

  • TLS DHE DSS with 3DES EDE CBC SHA

  • TLS DHE DSS with AES 128 CBC SHA

  • TLS DHE DSS with AES 128 CBC SHA256

  • TLS DHE DSS with AES 128 GCM SHA256

  • TLS DHE DSS with AES 256 CBC SHA

  • TLS DHE DSS with AES 256 CBC SHA256

  • TLS DHE DSS with AES 256 GCM SHA384

  • TLS DHE RSA with 3DES EDE CBC SHA

  • TLS DHE RSA with AES 128 CBC SHA

  • TLS DHE RSA with AES 128 CBC SHA256

  • TLS DHE RSA with AES 128 GCM SHA256

  • TLS DHE RSA with AES 256 CBC SHA

  • TLS DHE RSA with AES 256 CBC SHA256

  • TLS DHE RSA with AES 256 GCM SHA384

  • TLS DHE RSA with CHACHA20 POLY1305 SHA256

  • TLS DHE RSA with DES CBC SHA

  • TLS ECDHE ECDSA with 3DES EDE CBC SHA

  • TLS ECDHE ECDSA with AES 128 CBC SHA

  • TLS ECDHE ECDSA with AES 128 CBC SHA256

  • TLS ECDHE ECDSA with AES 128 GCM SHA256

  • TLS ECDHE ECDSA with AES 256 CBC SHA

  • TLS ECDHE ECDSA with AES 256 CBC SHA384

  • TLS ECDHE ECDSA with AES 256 GCM SHA384

  • TLS ECDHE ECDSA with CHACHA20 POLY1305 SHA256

  • TLS ECDHE ECDSA with RC4 128 SHA

  • TLS ECDHE RSA with 3DES EDE CBC SHA

  • TLS ECDHE RSA with AES 128 CBC SHA

  • TLS ECDHE RSA with AES 128 CBC SHA256

  • TLS ECDHE RSA with AES 128 GCM SHA256

  • TLS ECDHE RSA with AES 256 CBC SHA

  • TLS ECDHE RSA with AES 256 CBC SHA384

  • TLS ECDHE RSA with AES 256 GCM SHA384

  • TLS ECDHE RSA with CHACHA20 POLY1305 SHA256

  • TLS ECDHE RSA with RC4 128 SHA

  • TLS ECDH ECDSA with 3DES EDE CBC SHA

  • TLS ECDH ECDSA with AES 128 CBC SHA

  • TLS ECDH ECDSA with AES 128 CBC SHA256

  • TLS ECDH ECDSA with AES 128 GCM SHA256

  • TLS ECDH ECDSA with AES 256 CBC SHA

  • TLS ECDH ECDSA with AES 256 CBC SHA384

  • TLS ECDH ECDSA with AES 256 GCM SHA384

  • TLS ECDH ECDSA with RC4 128 SHA

  • TLS ECDH RSA with 3DES EDE CBC SHA

  • TLS ECDH RSA with AES 128 CBC SHA

  • TLS ECDH RSA with AES 128 CBC SHA256

  • TLS ECDH RSA with AES 128 GCM SHA256

  • TLS ECDH RSA with AES 256 CBC SHA

  • TLS ECDH RSA with AES 256 CBC SHA384

  • TLS ECDH RSA with AES 256 GCM SHA384

  • TLS ECDH RSA with RC4 128 SHA

  • TLS GOST2012256 with 28147 CNT IMIT

  • TLS GOSTR341001 with 28147 CNT IMIT

  • TLS RSA PSK with 3DES EDE CBC SHA

  • TLS RSA PSK with AES 128 CBC SHA

  • TLS RSA PSK with AES 128 CBC SHA256

  • TLS RSA PSK with AES 128 GCM SHA256

  • TLS RSA PSK with AES 256 CBC SHA

  • TLS RSA PSK with AES 256 CBC SHA384

  • TLS RSA PSK with AES 256 GCM SHA384

  • TLS RSA PSK with RC4 128 SHA

  • TLS RSA with 3DES EDE CBC SHA

  • TLS RSA with AES 128 CBC SHA

  • TLS RSA with AES 128 CBC SHA256

  • TLS RSA with AES 128 GCM SHA256

  • TLS RSA with AES 256 CBC SHA

  • TLS RSA with AES 256 CBC SHA256

  • TLS RSA with AES 256 GCM SHA384

  • TLS RSA with DES CBC SHA

  • TLS RSA with RC4 128 MD5

  • TLS RSA with RC4 128 SHA

  • TLS SRP DSS with 3DES EDE CBC SHA

  • TLS SRP DSS with AES 128 CBC SHA

  • TLS SRP DSS with AES 256 CBC SHA

  • TLS SRP RSA with 3DES EDE CBC SHA

  • TLS SRP RSA with AES 128 CBC SHA

  • TLS SRP RSA with AES 256 CBC SHA

Set encryption algorithms for standard protocols

You can use this section to facilitate the selection of encryption and digital signature algorithms for standard TLS protocols. The administrator can specify the desired TLS protocol version in the Select protocol and set ciphers set field and click Apply, after which the algorithms that match the selected protocol versions will be automatically selected. You can repeat the process to add multiple TLS protocol versions.

There are several default SSL profiles in the product that can be used by the administrator as is or edited/deleted if necessary. The following predefined SSL profiles exist:

Name

Description

Default SSL profile

Contains encryption and digital signature algorithms supported by TLS v1.1 to TLS v1.2. These are the most common protocol versions currently used in the Internet. This profile is used by default for:

  • SSL traffic inspection rules.

  • Captive portal auth page.

  • Block page.

  • Web portal.

Default SSL profile (TLSv1.3)

Contains encryption and digital signature algorithms supported by TLS v1.3. Not used by default.

Default SSL profile (GOST)

Contains encryption and digital signature algorithms supported by TLS with GOST algorithms (TLS GOST2012256 with 28147 CNT IMIT and TLS GOSTR341001 with 28147 CNT IMIT). Can be used in organizations that require these algorithms, e.g., for the web portal. The browsers used must also support these protocols. Not used by default.

Default SSL profile (web console)

Contains encryption and digital signature algorithms supported by TLS v1.0 to TLS v1.2. This profile is used by default to provide SSL access to the web console.

Important! Use caution when editing this profile. Specifying algorithms not supported by your browser can cause loss of access to the web console!