8.3.4. Procedure – Configuring half-sided SSL encryption in HTTP

Purpose: 

To enable half-sided SSL encryption, require HTTPS on client side, and HTTP on server side perform the following steps.

Figure 8.4. HTTP Control > Connections> SSL Settings — Enabling half-sided SSL encryption in HTTP

HTTP Control > Connections> SSL Settings — Enabling half-sided SSL encryption in HTTP

Limitations: 

The Server Name Indication (SNI) extension of SSL and TLS is only supported by appropriate client OS and browser combinations. For details on the limitations, see Browsers with support for TLS server name indication. There are several unsupported scenarios, for example Windows XP + any version of Internet Explorer, Ubuntu Lucid + certain versions of Mozilla Firefox. When the client does not support SNI, the CN will contain the target IP, and the client browsers will display a warning when accessing these servers.

Note

When Generate certificate on-the-fly is selected, and the connection is in transparent setup, the CN field is filled in using SNI (Server Name Indication). When the client does not support SNI, the CN will contain the target IP, which may cause certificate verification warning on the client browser.

Steps: 

  1. In SSL Settings, select Require HTTPS on client side and HTTP on server side.

    Note

    If the connection is configured at Target to Use fix address and the port number is set to 443, PSM will still automatically use port 80 to connect to the server, when Require HTTPS on client side and HTTP on server side is selected.

  2. To use a fix certificate, select Use the same certificate for each connection and copy or upload the certificate.

    Balabit recommends using 2048-bit RSA keys (or stronger).

  3. To generate a certificate on-the-fly, signed by a provided Signing CA, select Generate certificate on-the-fly. It uses the parameters of the signing CA, excluding the CN field, which is filled with the name of the target host name.

    Note

    When Generate certificate on-the-fly is selected, and the connection is in transparent setup, the CN field is filled in using SNI (Server Name Indication). When the client does not support SNI, the CN will contain the target IP, which may cause certificate verification warning on the client browser.