SonicWALL SonicOS 5.

0: SSL Control
Feature Module Document

Overview of SSL Control

SonicOS Enhanced 4.0 introduces SSL Control, a system for providing visibility into the handshake of SSL
sessions, and a method for constructing policies to control the establishment of SSL connections. SSL
(Secure Sockets Layer) is the dominant standard for the encryption of TCP based network communications,
with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides digital
certificate-based endpoint identification, and cryptographic and digest-based confidentiality to network
communications.

An effect of the security provided by SSL is the obscuration of all payload, including the URL (Uniform
Resource Locator, for example, https://www.mysonicwall.com) being requested by a client when
establishing an HTTPS session. This is due to the fact that that HTTP is transported within the encrypted
SSL tunnel when using HTTPS. It is not until the SSL session is established (step 14, figure 1) that the actual
target resource (www.mysonicwall.com) is requested by the client, but since the SSL session is already
established, no inspection of the session data by the firewall or any other intermediate device is possible. As
a result, URL based content filtering systems cannot consider the request to determine permissibility in any
way other than by IP address.

SonicWALL SonicOS 5.0: SSL Control Feature Module Document 1

 While IP address based filtering does not work well for unencrypted HTTP because of the efficiency and
popularity of Host-header based virtual hosting (defined in Key Concepts below), IP filtering can work
effectively for HTTPS due to the rarity of Host-header based HTTPS sites. But this trust relies on the
integrity of the HTTPS server operator, and assumes that SSL is not being used for deceptive purposes.

For the most part, SSL is employed legitimately, being used to secure sensitive communications, such as
online shopping or banking, or any session where there is an exchange of personal or valuable information.
The ever decreasing cost and complexity of SSL, however, has also spurred the growth of more dubious
applications of SSL, designed primarily for the purposes of obfuscation or concealment rather than security.

An increasingly common camouflage is the use of SSL encrypted web-based proxy servers for the purpose
of hiding browsing details, and bypassing content filters. While it is simple to block well known HTTPS
proxy services of this sort by their IP address, it is virtually impossible to block the thousands of
privately-hosted proxy servers that are readily available through a simple web-search. The challenge is not
the ever-increasing number of such services, but rather their unpredictable nature. Since these services are
often hosted on home networks using dynamically addressed DSL and cable modem connections, the
targets are constantly moving. Trying to block an unknown SSL target would require blocking all SSL traffic,
which is practically infeasible.

SSL Control provides a number of methods to address this challenge by arming the security administrator
with the ability to dissect and apply policy based controls to SSL session establishment. While the current
implementation does not decode the SSL application data, it does allow for gateway-based identification and
disallowance of suspicious SSL traffic.

2 SonicWALL SonicOS 5.0: SSL Control Feature Module Document

Key Features of SSL Control

Feature Benefit
Common-Name based White/Black Lists The administrator can define lists of explicitly
allowed or denied certificate subject common
names (described in Key Concepts). Entries will be
matched on substrings, for example, a blacklist
entry for “prox” will match
“www.megaproxy.com”, “www.proxify.com” and
“proxify.net”. This allows the administrator to
easily block all SSL exchanges employing
certificates issued to subjects with potentially
objectionable names. Inversely, the administrator
can easily authorize all certificates within an
organization by whitelisting a common substring
for the organization. Each list can contain up to
1,024 entries.

Since the evaluation is performed on the subject

common-name embedded in the certificate, even if
the client attempts to conceal access to these sites
by using an alternative hostname or even an IP
address, the subject will always be detected in the
certificate, and policy will be applied.

Self-Signed Certificate Control It is common practice for legitimate sites secured by

SSL to use certificates issued by well-known
certificate authorities, as this is the foundation of
trust within SSL. It is almost equally common for
network appliances secured by SSL (such as
SonicWALL security appliances) to use self-signed
certificates for their default method of security. So
while self-signed certificates in
closed-environments are not suspicious, the use of
self-signed certificates by publicly or commercially
available sites is. A public site using a self-signed
certificate is often an indication that SSL is being
used strictly for encryption rather than for trust and
identification. While not absolutely incriminating,
this sometimes suggests that concealment is the
goal, as is commonly the case for SSL encrypted
proxy sites.

The ability to set a policy to block self-signed

certificates allows security administrators to protect
against this potential exposure. To prevent
discontinuity of communications to known/trusted
SSL sites using self-signed certificates, the whitelist
feature can be used for explicit allowance.

SonicWALL SonicOS 5.0: SSL Control Feature Module Document 3

 Feature
Untrusted Certificate Authority Control
SSL version, Cipher Strength, and Certificate
Validity Control
Zone-Based Application
Configurable Actions and Event Notifications
4 SonicWALL SonicOS 5.0: SSL Control Feature Module Document
Benefit
Like the use of self-signed certificates, encountering
a certificate issued by an untrusted CA isn’t an
absolute indication of disreputable obscuration, but
it does suggest questionable trust.
SSL Control can compare the issuer of the
certificate in SSL exchanges against the certificates
in the SonicWALL’s certificate store. The certificate
store contains approximately 100 well-known CA
certificates, exactly like today’s web-browsers. If
SSL Control encounters a certificate that was issued
by a CA not in its certificate store, it can disallow
the SSL connection.
For organizations running their own private
certificate authorities, the private CA certificate can
easily be imported into the SonicWALL’s certificate
store to recognize the private CA as trusted. The
store can hold up to 256 certificates.
SSL Control provides additional management of
SSL sessions based on characteristics of the
negotiation, including the ability to disallow the
potentially exploitable SSLv2, the ability to disallow
weak encryption (ciphers less than 64 bits), and the
ability to disallow SSL negotiations where a
certificate’s date ranges are invalid. This enables the
administrator to create a rigidly secure environment
for network users, eliminating exposure to risk
through unseen cryptographic weaknesses, or
through disregard for or misunderstanding of
security warnings.
SSL Control is applied at the zone level, allowing
the administrator to enforce SSL policy on the
network. When SSL Control is enabled on the zone,
the SonicWALL looks for Client Hellos sent from
clients on that zone through the SonicWALL will
trigger inspection. The SonicWALL then looks for
the Server Hello and Certificate that is sent in
response for evaluation against the configured
policy. Enabling SSL Control on the LAN Zone, for
example, will inspect all SSL traffic initiated by
clients on the LAN to any destination zone.
When SSL Control detects a policy violation, it can
log the event and block the connection, or it can
simply log the event while allowing the connection
to proceed.
Key Concepts to SSL Control
• •SSL- SSL, or Secure Sockets Layer, is a network security mechanism introduced by Netscape in 1995.
SSL was designed “to provide privacy between two communicating applications (a client and a server)
… [and also] to authenticate the server, and optionally the client.”1 SSL’s most popular application is
HTTPS, designated by a URL beginning with https:// rather than simply http://, and it is recognized
as the standard method of encrypting web traffic on the Internet. An SSL HTTP transfer typically uses
TCP port 443, whereas a regular HTTP transfer uses TCP port 80. Although HTTPS is what SSL is
best known for, SSL is not limited to securing HTTP, but can also be used to secure other TCP
protocols such as SMTP, POP3, IMAP, and LDAP. SSL session establishment occurs as follows:

• SSLv2 – The earliest version of SSL still in common use. SSLv2 was found to have a number of
weaknesses, limitations, and theoretical deficiencies (comparatively noted in the SSLv3 entry), and is
looked upon with scorn, disdain, and righteous indignation by security purists.

1. http://wp.netscape.com/eng/security/SSL_2.html

SonicWALL SonicOS 5.0: SSL Control Feature Module Document 5

 • SSLv3 – SSLv3 was designed to maintain backward compatibility with SSLv2, while adding the
following enhancements:
– Alternate key exchange methods, including Diffie-Hellman.
– Hardware token support for both key exchange and bulk encryption.
– SHA, DSS, and Fortezza support.
– Out-of-Band data transfer.
– TLS – Transport Layer Security (version 1.0), also known as SSLv3.1, is very similar to SSLv3, but
improves upon SSLv3 in the following ways:

SSL
Uses a preliminary HMAC algorithm
Does not apply MAC to version info
Does not specify a padding value
Limited set of alerts and warning
TLS
Uses HMAC as described in RFC 2104
Applies MAC to version info
Initializes padding to a specific value
Detailed Alert and Warning messages

• MAC – A MAC (Message Authentication Code) is calculated by applying an algorithm (such as MD5
or SHA1) to data. The MAC is a message digest, or a one-way hash code that is fairly easy to compute,
but which is virtually irreversible. In other words, with the MAC alone, it would be theoretically
impossible to determine the message upon which the digest was based. It is equally difficult to find two
different messages that would result in the same MAC. If the receiver’s MAC calculation matches the
sender’s MAC calculation on a given piece of data, the receiver is assured that the data has not been
altered in transit
• Client Hello – The first message sent by the client to the server following TCP session establishment.
This message starts the SSL session, and consists of the following components:
• Version – The version of SSL that the client wishes to use in communications. This is usually the most
recent version of SSL supported by the client.
• Random – a 32-bit timestamp coupled with a 28 byte random structure.
• Session ID – This can either be empty if no Session ID data exists (essentially requesting a new session)
or can reference a previously issued Session ID.
• Cipher Suites – A list of the cryptographic algorithms, in preferential order, supported by the clients.
• Compression Methods – A list of the compression methods supported by the client (typically null).
• Server Hello – The SSL server’s response to the Client Hello. It is this portion of the SSL exchange
that SSL Control inspects. The Server Hello contains the version of SSL negotiated in the session, along
with cipher, session ID and certificate information. The actual X.509 server certificate itself, although
a separate step of the SSL exchange, usually begins (and often ends) in the same packet as the Server
Hello.
• Certificates - X.509 certificates are unalterable digital stamps of approval for electronic security. There
are four main characteristics of certificates:
– Identify the subject of a certificate by a common name or distinguished name (CN or DN).
– Contain the public key that can be used to encrypt and decrypt messages between parties
– Provide a digital signature from the trusted organization (Certificate Authority) that issued the
certificate.
– Indicate the valid date range of the certificate

6 SonicWALL SonicOS 5.0: SSL Control Feature Module Document

• Subject – The grantee of a certificate identified by a common name (CN). When a client browses to an
SSL site, such as https://www.mysonicwall.com, the server sends its certificate which is then evaluated
by the client. The client checks that the certificate’s dates are valid, that is was issued by a trusted CA,
and that the subject CN matches the requested host name (i.e. they are both “www.mysonicwall.com”).
Although a subject CN mismatch elicits a browser alert, it is not always a sure sign of deception. For
example, if a client browses to https://mysonicwall.com, which resolves to the same IP address as
www.mysonicwall.com, the server will present its certificate bearing the subject CN of
www.mysonicwall.com. An alert will be presented to the client, despite the total legitimacy of the
connection.
• Certificate Authority (CA) - A Certificate Authority (CA) is a trusted entity that has the ability to sign
certificates intended, primarily, to validate the identity of the certificate’s subject. Well-known certificate
authorities include VeriSign, Thawte, Equifax, and Digital Signature Trust. In general, for a CA to be
trusted within the SSL framework, its certificate must be stored within a trusted store, such as that
employed by most web-browsers, operating systems and run-time environments. The SonicOS trusted
store is accessible from the System > Certificates page. The CA model is built on associative trust,
where the client rusts a CA (by having the CA's certificate in its trusted store), the CA trusts a subject
(by having issued the subject a certificate), and therefore the client can trust the subject.
• Untrusted CA – An untrusted CA is a CA that is not contained in the trusted store of the client. In
the case of SSL Control, an untrusted CA is any CA whose certificate is not present in System >
Certificates.
• Self-Signed Certificates – Any certificate where the issuer’s common-name and the subject’s
common-name are the same, indicating that the certificate was self-signed.
• Virtual Hosting – A method employed by web-servers to host more than one web-site on a single
server. A common implementation of virtual hosting is name-based (Host-header) virtual hosting,
which allows for a single IP address to host multiple web-sites. With Host-header virtual hosting, the
server determines the requested site by evaluating the “Host:” header sent by the client. For example,
both www.website1.com and www.website2.com might resolve to 64.41.140.173. If the client sends a
“GET /” along with “Host: www.website1.com”, the server can return content corresponding to that
site.
• Host-header virtual hosting is generally not employed in HTTPS because the host header cannot be
read until the SSL connection is established, but the SSL connection cannot be established until the
server sends its Certificate. Since the server cannot determine which site the client will request (all that
is known during the SSL handshake is the IP address) it cannot determine the appropriate certificate to
send. While sending any certificate might allow the SSL handshake to commence, a certificate name
(subject) mismatch will trigger a browser alert.
• Weak Ciphers – Relatively weak symmetric cryptography ciphers. Ciphers are classified as weak when
they are less than 64 bits. For the most part, export ciphers are weak ciphers. The following is a list of
common weak ciphers:
Cipher Encryption Occurs In
EXP1024-DHE-DSS-DES-CBC-SHA DES (56) SSLv3, TLS (export)
EXP1024-DES-CBC-SHA DES (56) SSLv3, TLS (export)
EXP1024-RC2-CBC-MD5 RC2 (56) SSLv3, TLS (export)
EDH-RSA-DES-CBC-SHA DES (56) SSLv3, TLS
EDH-DSS-DES-CBC-SHA DES (56) SSLv3, TLS
DES-CBC-SHA DES (56) SSLv2, SSLv3, TLS
EXP1024-DHE-DSS-RC4-SHA RC4 (56) SSLv3, TLS (export)
EXP1024-RC4-SHA RC4 (56) SSLv3, TLS (export)
EXP1024-RC4-MD5 RC4 (56) SSLv3, TLS (export)
EXP-EDH-RSA-DES-CBC-SHA DES (40) SSLv3, TLS (export)
EXP-EDH-DSS-DES-CBC-SHA DES (40) SSLv3, TLS (export)
EXP-DES-CBC-SHA DES (40) SSLv3, TLS (export)
EXP-RC2-CBC-MD5 RC2 (40) SSLv2, SSLv3, TLS (export)
EXP-RC4-MD5 RC4 (40) SSLv2, SSLv3, TLS (export)

SonicWALL SonicOS 5.0: SSL Control Feature Module Document 7

Caveats and Advisories
1. Self-signed and Untrusted CA enforcement – If enforcing either of these two options, it is strongly
advised that you add the common names of any SSL secured network appliances within your
organization to the whitelist to ensure that connectivity to these devices is not interrupted. For example,
the default subject name of SonicWALL UTM appliances is “192.168.168.168”, and the default
common name of SonicWALL SSL-VPN appliances is “192.168.200.1”.
2. If your organization employs its own private Certificate Authority (CA), it is strongly advised that you
import your private CA’s certificate into the System > Certificates store, particularly if you will be
enforcing blocking of certificates issued by untrusted CAs. Refer to the System > Certificates section
of the SonicOS Enhanced Administrator’s Guide for more information on this process.
3. SSL Control inspection is currently only performed on TCP port 443 traffic. SSL negotiations occurring
on non-standard ports will not be inspected at this time.
4. Server Hello fragmentation – In some rare instances, an SSL server will fragment the Server Hello.
If this occurs, the current implementation of SSL Control will not decode the Server Hello. SSL Control
policies will not be applied to the SSL session, and the SSL session will be allowed.
5. Session termination handling – When SSL Control detects a policy violation and terminates an SSL
session, it will simply terminate the session at the TCP layer. Because the SSL session is in an embryonic
state at this point, it is not currently possible to redirect the client, or to provide any kind of
informational notification of termination to the client.
6. Whitelist precedence – The whitelist takes precedence over all other SSL Control elements. Any SSL
server certificate which matches an entry in the whitelist will allow the SSL session to proceed, even if
other elements of the SSL session are in violation of the configured policy. This is by design.
7. SonicOS Enhanced 4.0 increased the number of pre-installed (well-known) CA certificates from 8 to
93. The resulting repository is very similar to what can be found in most web-browsers. Other
certificate related changes:
a. The maximum number of CA certificates was raised from 6 to 256
b. The maximum size of an individual certificate was raised from 2,048 to 4,096.
c. The maximum number of entries in the whitelist and blacklist is 1,024 each.

8 SonicWALL SonicOS 5.0: SSL Control Feature Module Document

SSL Control Configuration
SSL Control is located on Firewall panel, under the SSL Control Folder. SSL Control has a global setting,
as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level. The individual
page controls are as follows (refer the Key Concepts for SSL Control section for more information on terms
used below):

• Enable SSL Control – The global setting for SSL Control. This must be enabled for SSL Control
applied to zones to be effective.
• Log the event – If an SSL policy violation, as defined within the Configuration section below, is
detected, the event will be logged, but the SSL connection will be allowed to continue.
• Block the connection and log the event – In the event of a policy violation, the connection will be
blocked and the event will be logged.
• Enable Blacklist – Controls detection of the entries in the blackist, as configured in the Configure
Lists section below.
• Enable Whitelist – Controls detection of the entries in the whitelist, as configured in the Configure
Lists section below. Whitelisted entries will take precedence over all other SSL control settings.
• Detect Expired Certificates – Controls detection of certificates whose start date is before the current
system time, or whose end date is beyond the current system time. Date validation depends on the
SonicWALL’s System Time. Make sure your System Time is set correctly, preferably synchronized with
NTP, on the System > Time page.
• Detect SSLv2 – Controls detection of SSLv2 exchanges. SSLv2 is known to be susceptible to cipher
downgrade attacks because it does not perform integrity checking on the handshake. Best practices
recommend using SSLv3 or TLS in its place.

SonicWALL SonicOS 5.0: SSL Control Feature Module Document 9

 • Detect Self-signed certificates – Controls the detection of certificates where both the issuer and the
subject have the same common name.
• Detect Certificates signed by an Untrusted CA – Controls the detection of certificates where the
issuer’s certificate is not in the SonicWALL’s System > Certificate trusted store.
• Detect Weak Ciphers (<64 bits) – Controls the detection of SSL sessions negotiated with symmetric
ciphers less than 64 bits, commonly indicating export cipher usage.
• Configure Blacklist and Whitelist – Allows the administrator to define strings for matching common
names in SSL certificates. Entries are case-insensitive, and will be used in pattern-matching fashion, for
example:

Entry Will Match Will Not Match

sonicwall.com https://www.sonicwall.com, https://www.sonicwall.de
https://csm.demo.sonicwall.com,
https://mysonicwall.com,
https://supersonicwall.computer
s.org, https://67.115.118.87 1
prox https://proxify.org, https://www.freeproxy.ru 3
https://www.proxify.org,
https://megaproxy.com,
https://1070652204 2
1. 67.115.118.67 is currently the IP address to which sslvpn.demo.sonicwall.com resolves, and that site uses a certificate issued to
sslvpn.demo.sonicwall.com. This will result in a match to “sonicwall.com” since matching occurs based on the common name in
the certificate.
2. This is the decimal notation for the IP address 63.208.219.44, whose certificate is issued to www.megaproxy.com.
3. www.freeproxy.ru will not match “prox” since the common name on the certificate that is currently presented by this site is a
self-signed certificate issued to “-“. This can, however, easily be blocked by enabling control of self-signed or Untrusted CA
certificates.

10 SonicWALL SonicOS 5.0: SSL Control Feature Module Document

 To configure the Whitelist and Blacklist, click the Configure button to bring up the following window.

Entries can be added, edited and deleted with the buttons beneath each list window.

Note List matching will be based on the subject common name in the certificate presented in the
SSL exchange, not in the URL (resource) requested by the client.

Changes to any of the SSL Control settings will not affect currently established connections; only new SSL
exchanges that occur following the change commit will be inspected and affected.

Enabling SSL Control on Zones

Once SSL Control has been globally enabled, and the desired options have been configured, SSL Control
must be enabled on one or more zones.

When SSL Control is enabled on the zone, the SonicWALL looks for Client Hellos sent from clients on that
zone through the SonicWALL will trigger inspection. The SonicWALL then looks for the Server Hello and
Certificate that is sent in response for evaluation against the configured policy. Enabling SSL Control on the
LAN Zone, for example, will inspect all SSL traffic initiated by clients on the LAN to any destination zone.

SonicWALL SonicOS 5.0: SSL Control Feature Module Document 11

 Note If you are activating SSL Control on a zone (for example, the LAN zone) where there are
clients who will be accessing an SSL server on another zone connected to the SonicWALL
(for example, the DMZ zone) it is recommended that you add the subject common name of
the that server’s certificate to the whitelist to ensure continuous trusted access.

To enable SSL Control on a zone, browse to the Network > Zones page, and select the configure icon for
the desired zone. In the Edit Zone window, select the Enable SSL Control checkbox, and click OK. All new
SSL connections initiated from that zone will now be subject to inspection.

SSL Control Events

The following illustrates and describes the possible SSL Control events:

Log events will include the client’s username in the notes section (not shown) if the user logged in manually,
or was identified through CIA/Single Sign On. If the user’s identity is not available, the note will indicate
that the user is Unidentified.

12 SonicWALL SonicOS 5.0: SSL Control Feature Module Document

# Event Message Occurs When
1 SSL Control: The certificate’s start date is before the SonicWALL’s system time, or when the end date is after
Certificate with the system time. Note that for this illustration, the system time of the SonicWALL was set well
invalid date into the future. Smithbarney.com is just peachy.
2 SSL Control: The certificate has been issued by an intermediate CA (chained certificate authority) with a
Certificate chain trusted top-level CA, but the SSL server did not present the intermediate certificate. This log
not complete event is informational, and does not affect the SSL connection.
3 SSL Control: The certificate being presented is self-signed, in other words, a certificate where the CN of the
Self-signed issuer and the subject match. Note: See entry #1 in the Caveats and Advisories section for
certificate information about enforcing self-signed certificate controls.
4 SSL Control: The certificate being presented has been issued by a CA that is not in the System > Certificates
Untrusted CA store of the SonicWALL. Note: See entry #2 in the Caveats and Advisories section for
information about enforcing untrusted CA controls.
5 SSL Control: The common name of the subject matched a pattern entered into the blacklist. In this example,
Website found in the pattern “prox” was entered, and the certificate presented was issued to the subject
blacklist “www.megaproxy.com” matched, triggering the violation.
6 SSL Control: The symmetric cipher being negotiated was less than 64 bits. In this example, the cipher
Weak cipher DES-CBC-SHA was negotiated. Refer to the table in the Weak Ciphers entry of Key Concepts to
being used SSL Control section for a list of weak ciphers.
7 See #2 See #2
8 SSL Control: The Server Hello from the SSL server was undecipherable. Also occurs when the Certificate and
Failed to decode Server Hello are in different packets, as will be the case when connecting to SSL server on
Server Hello SonicWALL UTM (firewall and CSM) appliances. This log event is informational, and does not
affect the SSL connection.
9 SSL Control: The common name of the subject (typically a website) matched a pattern entered into the
Website found in whitelist. Whitelist entries are always allowed, even if there are other policy violations in the
whitelist negotiation, such as SSLv2 or weak-ciphers. In this example, the pattern “sonicwall.com” was
entered, and the certificate presented was issued to “sslvpn.demo.sonicwall.com”
10 SSL Control: The SSL session was being negotiated using SSLv2. SSLv2 is known to be susceptible to
HTTPS via certain types of man-in-the-middle attacks. Best practices recommend using SSLv3 or TLS in its
SSLv2 place.

SonicWALL SonicOS 5.0: SSL Control Feature Module Document 13

14 SonicWALL SonicOS 5.0: SSL Control Feature Module Document 232-001239-00 Rev A