Decryption Profile¶
A Decryption Profile is used by the Gateway in a Reverse Proxy or Forward Proxy scenario. When a connection is proxied, the front-end session is terminated on the Gateway and a new back-end session is established to the server. The intention of this termination is to decrypt and inspect the traffic to protect against malicious activity. In order to decrypt encrypted traffic, a Decryption Profile is necessary.
Creating a Profile¶
- Navigate to Manage -> Profiles -> Decryption
- Click Create
- Specify a Profile Name and a Description
- For Certificate Method choose Select Existing
- For Certificate choose the desired certificate
- For Min TLS Version choose the lowest TLS version that is accepted by the decryption profile. Default is TLS 1.0.
- If using non-default (non-PFS) Cipher Suites, select the set of desired Cipher Suites from the Diffie-Hellman or PKCS (RSA) menus
- Click Save.
Associating a Profile¶
A Decryption Profile is associated with a Reverse Proxy (Ingress) or Forward Proxy (Egress/East-West) Service Object. To associate a Decryption Profile with a Service Object, refer to the following:
- For Reverse Proxy (Ingress), refer to Ingress Service (Reverse Proxy)
- For Forward Proxy (Egress/East-West), refer to Egress Service (Forward Proxy)
TLS Version¶
The Valtix Gateway supports all TLS versions (TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0). Users can specify a minimum TLS version to use and Valtix Gateway will negotiate a TLS version that is equal to or higher than the specified minimum TLS version. The Valtix Gateway will always use the highest TLS version possible during the TLS negotiation. In the case where the Valtix Gateway cannot negotiate a version that meets the minimum TLS version specified, the Valtix Gateway will drop the session and logging a TLS_ERROR event.
Tech Notes
Only a single minimum TLS version can be applied to a Gateway. A consistent minimum TLS version must be used across all Decryption Profiles referenced by all Service Objects that are used within a Policy Ruleset or Policy Ruleset Group. If different minimum TLS versions are specified, the minimum TLS version that will be applied cannot be predetermined.
Cipher Suites¶
The Valtix Gateway supports a set of default and user-selectable Cipher Suites. The default set are PFS Cipher Suites that are always selected. The user-selectable set are Diffie-Hellman and PKCS (RSA) Cipher Suites that can be selected by the user. The combined set of Cipher Suites (default and user-selected) are used by the Gateway for establishing a secure front-end encrypted session. The client will send an ordered list of preferred Cipher Suites. The Gateway will respond with a Cipher Suite chosen from the ordered set submitted by the client and the set available by the Gateway. If the client allows the server to define the order, then the Cipher Suite chosen is from the ordered set available by the Gateway and the set submitted by the client.
The following is an ordered list of Cipher Suites supported by the Gateway and available in a Decryption Profile:
| Category | Cipher Suite | Key Exchange | Cipher | Hash | Default |
|---|---|---|---|---|---|
| PFS | ECDHE-RSA-AES256-GCM-SHA384 | ECDHE-RSA | AES256-GCM | SHA384 | ✅ |
| PFS | ECDHE-RSA-AES256-CBC-SHA384 | ECDHE-RSA | AES256-CBC | SHA384 | ✅ |
| Diffie-Hellman | DH-RSA-AES256-GCM-SHA384 | DH-RSA | AES256-GCM | SHA384 | |
| PFS | DHE-RSA-AES256-GCM-SHA384 | DHE-RSA | AES256-GCM | SHA384 | ✅ |
| PFS | DHE-RSA-AES256-CBC-SHA256 | DHE-RSA | AES256-CBC | SHA384 | ✅ |
| PFS | DHE-RSA-AES256-CBC-SHA | DHE-RSA | AES256-CBC | SHA | ✅ |
| Diffie-Hellman | DH-RSA-AES256-SHA256 | DH-RSA | AES256-CBC | SHA256 | |
| Diffie-Hellman | DH-RSA-AES256-SHA | DH-RSA | AES256-CBC | SHA160 | |
| PKCS (RSA) | AES256-GCM-SHA384 | PKCS-RSA | AES256-GCM | SHA384 | |
| PKCS (RSA) | AES256-SHA256 | PKCS-RSA | AES256-CBC | SHA256 | |
| PKCS (RSA) | AES256-SHA | PKCS-RSA | AES256-CBC | SHA160 | |
| PFS | ECDHE-RSA-AES128-GCM-SHA256 | ECDHE-RSA | AES128-GCM | SHA256 | ✅ |
| PFS | ECDHE-RSA-AES128-CBC-SHA256 | ECDHE-RSA | AES128-CBC | SHA256 | ✅ |
| Diffie-Hellman | DH-RSA-AES128-GCM-SHA256 | DH-RSA | AES128-GCM | SHA256 | |
| PFS | DHE-RSA-AES128-GCM-SHA256 | DHE-RSA | AES128-GCM | SHA256 | ✅ |
| PFS | DHE-RSA-AES128-CBC-SHA256 | DHE-RSA | AES128-CBC | SHA256 | ✅ |
| Diffie-Hellman | DH-RSA-AES128-SHA256 | DH-RSA | AES128-CBC | SHA256 | |
| Diffie-Hellman | DH-RSA-AES128-SHA | DH-RSA | AES128-CBC | SHA160 | |
| PKCS (RSA) | AES128-GCM-SHA256 | PKCS-RSA | AES128-GCM | SHA256 | |
| PKCS (RSA) | AES128-SHA256 | PKCS-RSA | AES128-CBC | SHA256 | |
| PKCS (RSA) | AES128-SHA | PKCS-RSA | AES128-CBC | SHA160 | |
| PFS | ECDHE-RSA-DES-CBC3-SHA | ECDHE-RSA | DES-CBC3 | SHA | ✅ |
| PFS | ECDHE-RSA-RC4-SHA | ECDHE-RSA | RC4 | SHA | ✅ |
| PKCS (RSA) | RC4-SHA | PKCS-RSA | RC4 | SHA160 | |
| PKCS (RSA) | RC4-MD5 | PKCS-RSA | RC4 | SHA160 |