Firewall Settings > SSL Control
784
SonicOS 5.8.1 Administrator Guide
Caveats and Advisories
1. Self-signed and Untrusted CA enforcement – If enforcing either of these two options, it is
strongly advised that you add the common names of any SSL secured network appliances
within your organization to the whitelist to ensure that connectivity to these devices is not
interrupted. For example, the default subject name of SonicWALL UTM appliances is
“192.168.168.168”, and the default common name of SonicWALL SSL VPN appliances is
“192.168.200.1”.
2. If your organization employs its own private Certificate Authority (CA), it is strongly advised
that you import your private CA’s certificate into the System > Certificates store,
particularly if you will be enforcing blocking of certificates issued by untrusted CAs. Refer
to the System > Certificates section of the SonicOS Enhanced Administrator’s Guide for
more information on this process.
3. SSL Control inspection is currently only performed on TCP port 443 traffic. SSL
negotiations occurring on non-standard ports will not be inspected at this time.
4. Server Hello fragmentation – In some rare instances, an SSL server will fragment the
Server Hello. If this occurs, the current implementation of SSL Control will not decode the
Server Hello. SSL Control policies will not be applied to the SSL session, and the SSL
session will be allowed.
5. Session termination handling – When SSL Control detects a policy violation and
terminates an SSL session, it will simply terminate the session at the TCP layer. Because
the SSL session is in an embryonic state at this point, it is not currently possible to redirect
the client, or to provide any kind of informational notification of termination to the client.
6. Whitelist precedence – The whitelist takes precedence over all other SSL Control
elements. Any SSL server certificate which matches an entry in the whitelist will allow the
SSL session to proceed, even if other elements of the SSL session are in violation of the
configured policy. This is by design.
7. SonicOS Enhanced 5.0 increased the number of pre-installed (well-known) CA certificates
from 8 to 93. The resulting repository is very similar to what can be found in most Web-
browsers. Other certificate related changes:
a. The maximum number of CA certificates was raised from 6 to 256.
b. The maximum size of an individual certificate was raised from 2,048 to 4,096.
c. The maximum number of entries in the whitelist and blacklist is 1,024 each.