Traditional SSL optimization uses destination IP address, port number to identify back-end server.
- Reuse cached server specific information (optimizable server table)
- Bypass table is also maintained per {destination IP/port}
- Assumes client begins communication with SSL messages
Client <---> CFE <---> SFE <---> SSL Server
SSL connection via Proxy
- Connections to multiple SSL servers go through the same Proxy
- Destination is {proxy IP address, proxy port number}
- IP/port of the actual SSL server is not known to SHs
- IP/port can no longer be used as the key
- Communication begins with HTTP then switches to SSL
Client <---> CFE <---> SFE <---> Proxy <---> SSL Server
Client -> Proxy: CONNECT sslserver.com:443 HTTP/1.1
Proxy <-> SSL Server: TCP connection setup
Proxy -> Client: HTTP/1.1 200 OK
Client -> Proxy: Client Hello
Proxy <-> SSL: forwarded
Proxy -> Client: Server Hello
What if proxy is configured for both HTTP and HTTPS?
- Bypass SSL opt if method is regular HTTP (e.g., GET, POST)
- Continue to perform HTTP opt for regular HTTP traffic
What if a non-SSL/non-HTTP packet is received?
- Bypass SSL opt as well as HTTP opt entirely
- Additionally enable mid-session-ssl for late-start SSL traffic
Configuration CLI:
- Proxy support (SFE/CFE)
protocol ssl ssl-proxy enable
show protocol ssl proxy-support
- Bypass table (SFE)
show protocol ssl backend bypass-table
no protocol ssl backend bypass-table [client-ip *] server-ip * [port *] server-hostname *
Configuration Web UI:
SSL > Configure > Optimization > Advanced Settings page
Enable SSL Proxy Support (CFE/SFE)
*Need service restart
In-path rule for proxy ip/port (CFE)
Pre-opt policy: SSL
Test and Validation:
Reports > Current Connections
Configure > Optimization > SSL Main Settings page
Discovered SSL Servers (Optimizable)