SSL/TLS
ESET Server Security can check for threats in communications that utilize the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. It offers various scanning modes to examine SSL protected communications based on different types of certificates: trusted certificates, unknown certificates, or certificates excluded from SSL-protected communication checks.
SSL/TLS mode is available in the following options:
Filtering mode |
Description |
|---|---|
Automatic |
The default mode scans only appropriate applications, such as web browsers and email clients. You can override this by selecting the applications where communication is scanned. |
Interactive |
If you enter a new SSL/TLS protected site (with an unknown certificate), an action selection dialog is displayed. This mode allows you to create a list of SSL/TLS certificates that will be excluded from scanning. |
Policy-based |
Select this option to scan all SSL-protected communication, except communication protected by certificates that are excluded from checking. If a new communication using an unknown, signed certificate is established, you will not be notified, and the communication will automatically be filtered. When you access a server with an untrusted certificate marked as trusted (on the trusted certificates list), communication to the server is allowed, and the communication channel content is filtered. |
Application scan rules—Click Edit to customize the behavior of ESET Server Security for specific applications.
Certificate rules—Click Edit to customize the behavior of ESET Server Security for specific SSL certificates.
Do not scan traffic with domains trusted by ESET—When enabled, communication with trusted domains will be excluded from scanning. An ESET-managed, built-in whitelist determines a domain's trustworthiness.
Integrate ESET root certificate into the supported applications
For SSL communication to work properly in your browsers/email clients, it is essential that the root certificate for ESET be added to the list of known root certificates (publishers). ESET Server Security will automatically add the ESET SSL Filter CA certificate to known browsers (for example, Opera) when enabled. For browsers using the system certification store, the certificate is added automatically. For example, Firefox is automatically configured to trust Root authorities in the system certification store.
To apply the certificate to unsupported browsers, click View Certificate > Details > Copy to File... and manually import it into the browser.
List of SSL/TLS filtered application
Add filtered application and set one of the scan actions. The List of SSL/TLS filtered applications can be used to customize ESET Server Security behavior for specific applications, and to remember actions chosen if Interactive mode is selected in SSL/TLS protocol filtering mode.
Action if certificate trust cannot be established
In some cases, a website certificate cannot be verified using the Trusted Root Certification Authorities (TRCA) store. This means that the certificate is signed by someone (for example, the administrator of a web server or a small business) and considering this certificate as trusted is not always a risk. Most large businesses (for example banks) use a certificate signed by the TRCA.
If Ask about certificate validity is selected (selected by default), you will be prompted to choose an action when encrypted communication is established. An action selection dialog will be displayed where you can mark the certificate as trusted or excluded. If the certificate is not present in the TRCA list, the window is red. If the certificate is on the TRCA list, the window will be green. You can select Block communication that uses the certificate to always terminate encrypted connections to sites with unverified certificates.
Block traffic encrypted by obsolete SSL2
Communication using this earlier version of the SSL protocol will automatically be blocked.
Action for corrupted certificates
Corrupted certificate means that the certificate uses a format not recognized by ESET Server Security or has been received damaged (for example, overwritten by random data). In this case, we recommend leaving Block communication that uses the certificate selected. If Ask about certificate validity is selected, the user is prompted to choose an action when the encrypted communication is established.