Decrypting TLS/SSL connections

This functionality is available only in an application deployed from an ISO image. When the application is installed from an RPM or DEB package, the administrator must configure decryption of TLS/SSL connections using the resources of the proxy server.

Users' computers may connect to web resources using unencrypted or encrypted connections. Kaspersky Web Traffic Security can scan both types of traffic. Unencrypted connections are scanned using standard traffic processing rules. To process encrypted traffic, you must configure decryption of TLS/SSL connections. If decryption is not configured, the application will not be able to apply all settings of access rules, or perform scans using the Anti-Virus and Anti-Phishing modules within the scope of protection rules.

In the documentation and in the web interface of the application, the term "SSL" is used as a well-established synonym for encryption (SSL connections, SSL rules). However, to establish encrypted connections, it is recommended to use the TLS version 1.2 protocol because the SSL protocol is outdated and unsafe.

Decryption of SSL connections consists of the following steps.

  1. Reading the special considerations for handling encrypted connections

    To understand how the application works and to correctly configure the settings, it is recommended to first read the specific features of processing CONNECT requests and establishing TLS connections.

  2. Adding a certificate for intercepting SSL connections

    After adding one or multiple certificates, you must assign the active status to one of them. If no certificate is active, you cannot enable decryption of SSL connections.

  3. Enabling decryption of SSL connections
  4. Selecting the default action for SSL connections

    The default action will be applied to SSL connections that do not meet the conditions of any SSL rule.

  5. Creating and configuring SSL rules

    Using SSL rules, you can define the actions the application takes on SSL connections depending on the source or destination of the connection.

  6. Adding trusted certificates

    The proxy server will assign the Trusted status to the security certificates of web resources to which the Bump action is applied.

In this Help section

Processing CONNECT requests

About TLS connections

Managing certificates for intercepting SSL connections

Enabling and disabling decryption of SSL connections

Selecting the default action for SSL connections

Managing SSL rules

Managing trusted certificates

Page top