SSL/TLS

ESET Server Security is capable of checking for threats in communications that use the Secure Sockets Layer (SSL) / Transport Layer Security (TLS) protocol.

You can use various scanning modes to examine SSL protected communications with trusted certificates, unknown certificates, or certificates that are excluded from SSL-protected communication checking.

Enable SSL/TLS protocol filtering

If protocol filtering is disabled, the program will not scan communications over SSL/TLS. The Secure Sockets Layer (SSL) / Transport Layer Security (TLS) protocol filtering mode is available in following options:

Automatic mode – Select this option to scan all SSL/TLS protected communications except communications protected by certificates excluded from checking. If a new communication using an unknown, signed certificate is established, you will not be notified and the communication will automatically be filtered. When you access a server with an untrusted certificate that is marked as trusted (it is on the trusted certificates list), communication to the server is allowed and the content of the communication channel is filtered.

Interactive mode – If you enter a new SSL/TLS protected site (with an unknown certificate), an action selection dialog is displayed. This mode allows you to create a list of SSL/TLS certificates that will be excluded from scanning.

Policy mode – All SSL/TLS connections are filtered, except configured exclusions.

List of SSL/TLS filtered application

Add filtered application and set one of the scan actions. The List of SSL/TLS filtered applications can be used to customize ESET Server Security behavior for specific applications, and to remember actions chosen if Interactive mode is selected in SSL/TLS protocol filtering mode.

List of known certificates

Allows you to customize ESET Server Security behavior for specific SSL certificates. The list can be viewed and managed by clicking Edit next to List of known certificates.

Exclude communication with trusted domains

To exclude communication using Extended validation certificates from protocol checking (internet banking).

Block encrypted communication utilizing the obsolete protocol SSL v2

Communication using this earlier version of the SSL protocol will automatically be blocked.

Root certificate

For SSL/TLS communication to work properly in your browsers/email clients, it is essential that the root certificate for ESET be added to the list of known root certificates (publishers). Add the root certificate to known browsers should be enabled.

Select this option to automatically add the ESET root certificate to known browsers (for example, Opera and Firefox). For browsers using the system certification store, the certificate is added automatically (for example, in Internet Explorer).

To apply the certificate to unsupported browsers, click View Certificate > Details > Copy to File... and manually import it into the browser.

Certificate validity

If the certificate cannot be verified using the TRCA certificate store

In some cases, a website certificate cannot be verified using the Trusted Root Certification Authorities (TRCA) store. This means that the certificate is signed by someone (for example, the administrator of a web server or a small business) and considering this certificate as trusted is not always a risk. Most large businesses (for example banks) use a certificate signed by the TRCA.

If Ask about certificate validity is selected (selected by default), the user will be prompted to select an action to take when encrypted communication is established. You can select Block communication that uses the certificate to always terminate encrypted connections to sites with unverified certificates.

If the certificate is invalid or corrupt

This means that the certificate expired or was incorrectly signed. In this case, we recommend that you leave Block communication that uses the certificate selected.