Fine-tune a Handshake on Secure Connections
Configure the settings used to negotiate an initial SSL/TLS handshake and to retry the negotiation with alternative settings.
- In Skyhigh CASB, select Policy > Web Policy > Feature Configuration.
- Select Certificate Verification Options > Default Certificate Verification.
- From the Actions drop-down list, select Clone and Edit.
- Provide a name for the feature configuration and an optional comment.
- Configure the Protocol Settings:
- Minimum SSL Version allowed — Select the latest TLS version allowed. Only select SSL 3.0 for backward compatibility.
- Maximum SSL Version allowed — Select the earliest TLS version allowed.
- TLS cipher list — (Optional) Provide a string of OpenSSL symbols.
This information might be needed to decrypt data received from servers that do not support the EDH (Ephemeral Diffie-Hellman) method. - SSL session cache TTL — Specify how long in seconds the SSL session parameters can be stored in the cache.
- When these settings are selected, the certificate verification options feature:
- Allow handshake and renegotiation with servers that do not implement RFC 5746 — Allows renegotiation of an existing handshake with servers that do not comply with RFC 5746, an extension of the TLS protocol.
- Send empty plaintext fragment — Includes an empty plaintext fragment in communications.
- Allow legacy signatures in the handshake — Allows legacy signatures to be used in the initial handshake.
- Identify and bypass Skype for Business traffic — Identifies Skype for Business traffic and allows it to bypass certificate verification.
- Select Use alternative handshake settings after handshake failure to allow the certificate verification options feature to try negotiating a handshake again, while providing different values for these settings:
- Minimum SSL Version allowed
- Maximum SSL Version allowed
- Server cipher list
- Select these options to make negotiating a handshake easier after the initial try:
- Send empty plaintext fragment
- Allow legacy signatures in the handshake
- Include indication that previous handshake failed
- Click Save.
The named Certificate Verification Options configuration is saved.
You can publish saved changes to the cloud now or keep working and publish later.