Firewall Settings > SSL Control
785
SonicOS 5.8.1 Administrator Guide
SSL Control Configuration
SSL Control is located on Firewall panel, under the SSL Control Folder. SSL Control has a
global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global
or zone level. The individual page controls are as follows (refer the Key Concepts for SSL
Control section for more information on terms used below).
• Enable SSL Control – The global setting for SSL Control. This must be enabled for SSL
Control applied to zones to be effective.
• Log the event – If an SSL policy violation, as defined within the Configuration section
below, is detected, the event will be logged, but the SSL connection will be allowed to
continue.
• Block the connection and log the event – In the event of a policy violation, the connection
will be blocked and the event will be logged.
• Enable Blacklist – Controls detection of the entries in the blacklist, as configured in the
Configure Lists section below.
• Enable Whitelist – Controls detection of the entries in the whitelist, as configured in the
Configure Lists section below. Whitelisted entries will take precedence over all other SSL
control settings.
• Detect Expired Certificates – Controls detection of certificates whose start date is before
the current system time, or whose end date is beyond the current system time. Date
validation depends on the SonicWALL’s System Time. Make sure your System Time is set
correctly, preferably synchronized with NTP, on the System > Time page.
• Detect SSLv2 – Controls detection of SSLv2 exchanges. SSLv2 is known to be susceptible
to cipher downgrade attacks because it does not perform integrity checking on the
handshake. Best practices recommend using SSLv3 or TLS in its place.
• Detect Self-signed certificates – Controls the detection of certificates where both the
issuer and the subject have the same common name.
• Detect Certificates signed by an Untrusted CA – Controls the detection of certificates
where the issuer’s certificate is not in the SonicWALL’s System > Certificates trusted
store.