Decryption Profile¶
A Decryption Profile is used by the Gateway in a Reverse Proxy or Forward Proxy scenario. When a connection is proxied, the front-end session is terminated on the Gateway and a new back-end session is established to the server. The intention of this termination is to decrypt and inspect the traffic to protect against malicious activity. In order to decrypt encrypted traffic, a Decryption Profile is necessary.
Creating a Profile¶
- Navigate to Manage -> Profiles -> Decryption
- Click Create
- Specify a Profile Name and a Description
- For Certificate Method choose Select Existing
- For Certificate choose the desired certificate
- If using non-default (non-PFS) Cipher Suites, select the set of desired Cipher Suites from the Diffie-Hellman or PKCS (RSA) menus
- Click Save.
Associating a Profile¶
A Decryption Profile is associated with a Reverse Proxy (Ingress) or Forward Proxy (Egress/East-West) Service Object. To associate a Decryption Profile with a Service Object, refer to the following:
- For Reverse Proxy (Ingress), refer to Ingress Service (Reverse Proxy)
- For Forward Proxy (Egress/East-West), refer to Egress Service (Forward Proxy)
Cipher Suites¶
The Valtix Gateway supports a set of default and user-selectable Cipher Suites. The default set are PFS Cipher Suites that are always selected. The user-selectable set are Diffie-Hellman and PKCS (RSA) Cipher Suites that can be selected by the user. The combined set of Cipher Suites (default and user-selected) are used by the Gateway for establishing a secure front-end encrypted session. The client will send an ordered list of preferred Cipher Suites. The Gateway will respond with a Cipher Suite chosen from the ordered set submitted by the client and the set available by the Gateway. If the client allows the server to define the order, then the Cipher Suite chosen is from the ordered set available by the Gateway and the set submitted by the client.
The following is an ordered list of Cipher Suites supported by the Gateway and available in a Decryption Profile:
| Category | Cipher Suite | Key Exchange | Cipher | Hash | Default |
|---|---|---|---|---|---|
| PFS | ECDHE-RSA-AES256-GCM-SHA384 | ECDHE-RSA | AES256-GCM | SHA384 | ✅ |
| PFS | ECDHE-RSA-AES256-CBC-SHA384 | ECDHE-RSA | AES256-CBC | SHA384 | ✅ |
| Diffie-Hellman | DH-RSA-AES256-GCM-SHA384 | DH-RSA | AES256-GCM | SHA384 | |
| PFS | DHE-RSA-AES256-GCM-SHA384 | DHE-RSA | AES256-GCM | SHA384 | ✅ |
| PFS | DHE-RSA-AES256-CBC-SHA256 | DHE-RSA | AES256-CBC | SHA384 | ✅ |
| Diffie-Hellman | DH-RSA-AES256-SHA256 | DH-RSA | AES256-CBC | SHA256 | |
| Diffie-Hellman | DH-RSA-AES256-SHA | DH-RSA | AES256-CBC | SHA160 | |
| PKCS (RSA) | AES256-GCM-SHA384 | PKCS-RSA | AES256-GCM | SHA384 | |
| PKCS (RSA) | AES256-SHA256 | PKCS-RSA | AES256-CBC | SHA256 | |
| PKCS (RSA) | AES256-SHA | PKCS-RSA | AES256-CBC | SHA160 | |
| PFS | ECDHE-RSA-AES128-GCM-SHA256 | ECDHE-RSA | AES128-GCM | SHA256 | ✅ |
| PFS | ECDHE-RSA-AES128-CBC-SHA256 | ECDHE-RSA | AES128-CBC | SHA256 | ✅ |
| Diffie-Hellman | DH-RSA-AES128-GCM-SHA256 | DH-RSA | AES128-GCM | SHA256 | |
| PFS | DHE-RSA-AES128-GCM-SHA256 | DHE-RSA | AES128-GCM | SHA256 | ✅ |
| PFS | DHE-RSA-AES128-CBC-SHA256 | DHE-RSA | AES128-CBC | SHA256 | ✅ |
| Diffie-Hellman | DH-RSA-AES128-SHA256 | DH-RSA | AES128-CBC | SHA256 | |
| Diffie-Hellman | DH-RSA-AES128-SHA | DH-RSA | AES128-CBC | SHA160 | |
| PKCS (RSA) | AES128-GCM-SHA256 | PKCS-RSA | AES128-GCM | SHA256 | |
| PKCS (RSA) | AES128-SHA256 | PKCS-RSA | AES128-CBC | SHA256 | |
| PKCS (RSA) | AES128-SHA | PKCS-RSA | AES128-CBC | SHA160 | |
| PKCS (RSA) | RC4-SHA | PKCS-RSA | RC4 | SHA160 | |
| PKCS (RSA) | RC4-MD5 | PKCS-RSA | RC4 | SHA160 |