Create an SSL Initiation Profile

Name

Enter a unique name of the SSL initiation profile.

The string must consist of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Protocol version

Select accepted protocol SSL version from the list: None, All, TSLv1, TSLv1.1, or TSLv1.2.

Cipher strength

Specify the cipher depending on their key strength. Select a preferred cipher from the list:

• Custom—Configure custom cipher suite and order of preference.

• Medium—Use ciphers with key strength of 128 bits or greater.

• Strong—Use ciphers with key strength of 168 bits or greater.

• Weak—Use ciphers with key strength of 40 bits or greater.

Flow tracing

Select this option to enable flow trace for troubleshooting policy-related issues for this profile.

SSL session cache

Select this option to enable SSL session cache.

Local Certificates

Local Certificate

Specify a client certificate that is required to effectively authenticate the client. Select the appropriate client certificate from the list.

Add device-specific local certificate

Enable this option to select an effective client certificate for the client.

1. Click +.

   The Add Device-specific Local Certificate page opens.

2. Enter the following details:

   • Devices—Select the available device from the list.

   • Local certificate—Select a certificate from the list that client connects to server with. It is usually signed by a CA that the SRX Series Firewall trusts.

3. Click OK.

CA Certificates

CA certificate

Select the certificate authority profile from the list. Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

Add device-specific CA certificate

Enable this option to select an effective CA certificate for the client.

Junos OS provides a default list of trusted CA certificates. Use a default command option to load the trusted CA certificates default list.

1. Click +.

   The Add Device-specific CA Certificate page opens.

2. Entre the following details:

   • Devices—Select the available device from the list.

   • CA certificate—Select a certificate from the list that client connects to server with.

3. Click OK.

Action

Ignore server authentication failure

Enable this option to ignore server authentication completely.

In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, selfsigned certificates, and certificate expiry).

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

CRL validation

Enable CRL validation on the device to check for revoked certificates from servers.

If CRL information is unavailable

Select one of the options from the list:

• None—No action is taken.

• Drop—Drop sessions when CRL information is not available.

• Allow—Allow sessions when CRL information is not available.

If certificate is revoked

Select one of the options from the list:

• None—No action is taken.

• Drop—Drop the sessions when a certificate is revoked.

• Allow—Allow the sessions when a certificate is revoked, and the revocation reason is on hold.