SSL Rules allows you to activate or not activate MAN-IN-THE-MIDDLE trough ACLs ( see how to enable SSL on your Proxy )
This is a dedicated section because you did not needs to include these rules inside the main Access Control list.
The behavior is the same Access Control list behavior: You create rules that allows uncrypt SSL protocol or keep the SSL protocol safe according objects.
In this section you can use a dedicated proxy object called “SSL SNI domains”
The SSL SNI domains object
This object is designed to inspect the certificate sended by Web servers in order to retreive the main domain used to establish the HTTPS session.
When it found a domain in a certificate, the object checks if the domain matches the domains listed in order to macthes the rule.
To understand this object we will create a rule according this needs:
We want to uncrypt Youtube and facebook and keep others web sites safe.
- Click on New Rule
- Turn on the “Uncrypt SSL” option.
- Click on Add
- Choose your added rule
- Click on Groups tab.
- Click on Link proxy object button.
- Define a group name
- Select the object “SSL SNI domains” in the drop-down list
- Click on Add
- The object is added in the available objects list.
- Click on the new created object
- Click on New Item button
- add 2 domains : facebook.com and youtube.com
- See: How to get SNI requested certificates domains
- Finally, click on the green arrow in order to link this object in your rule
- In this case, your first rule will hook 443 port but only decrypt websites that using facebook.com and youtube.com inside certificates