User Guide

200
IRONPORT ASYNCOS 6.3 FOR WEB USER GUIDE
Note — After you upload the certificate and key, you can download the certificate
to transfer it to the client applications on the network. Do this using the Download
Certificate link in the uploaded key area.
8. In the Invalid Certificate Handling section, choose how the appliance handle HTTPS
traffic when it encounters invalid server certificates. You can drop, decrypt, or monitor
HTTPS traffic for the following types of invalid server certificates:
Expired. The certificate is either not yet valid, or it is currently past its valid to date.
Mismatched hostname. The host name in the certificate does not match the host name
the client was trying to access. This might happen during a “man in the middle attack,
or when a server redirects a request to a different URL. For example, http://
mail.google.com gets redirected to http://www.gmail.com.
Note — The Web Proxy can only perform host name match when it is deployed in
explicit forward mode. When it is deployed in transparent mode, it does not know
the host name of the destination server (it only knows the IP address), so it cannot
compare it to the host name in the server certificate.
Unrecognized root authority. The root certificate authority for the certificate is not in
the set of trusted root authorities on the appliance.
All other error types. Most other error types are due to the appliance not being able to
complete the SSL handshake with the HTTPS server. For more information about
additional error scenarios for server certificates, see http://www.openssl.org/docs/
apps/verify.html.
Note — When a certificate is both expired and has an unrecognized root authority, the
Web Security appliance performs the action specified for an unrecognized root authority.
For more information about handling invalid server certificates, see “Validating Digital
Certificates” on page 190.
9. Submit and commit your changes.