6.7.3.1. Understanding Encryption policies

This section describes the configuration blocks of Encryption policies and objects used in Encryption policies. Encryption policies were designed to be flexible, and make encryption settings easy to reuse in different services.

An Encryption policy is an object that has a unique name, and references a fully-configured encryption scenario.

Encryption scenarios are actually Python classes that describe how encryption is used in a particular connection, for example, both the server-side and the client-side connection is encrypted, or the connection uses a one-sided SSL connection, and so on. Encryption scenarios also reference other classes that contain the actual settings for the scenario. Depending on the scenario, the following classes can be set for the client-side, the server-side, or both.

  • Certificate generator: It creates or loads an X.509 certificate that Application-level Gateway shows to the peer. The certificate can be a simple certificate (Section 5.5.23, Class StaticCertificate in Proxedo Network Security Suite 2 Reference Guide), a dynamically generated certificate (for example, used in a keybridging scenario, Section 5.5.12, Class DynamicCertificate in Proxedo Network Security Suite 2 Reference Guide), or a list of certificates to support Server Name Indication (SNI, Section 5.5.18, Class SNIBasedCertificate in Proxedo Network Security Suite 2 Reference Guide).

    The related parameters are: client_certificate_generator, server_certificate_generator

  • Certificate verifier: The settings in this class determine if Application-level Gateway requests a certificate of the peer and the way to verify it. Application-level Gateway has separate built-in classes for the client-side and the server-side verification settings: Section 5.5.6, Class ClientCertificateVerifier in Proxedo Network Security Suite 2 Reference Guide and Section 5.5.19, Class ServerCertificateVerifier in Proxedo Network Security Suite 2 Reference Guide. For details and examples, see Section 3.2.5, Certificate verification options in Proxedo Network Security Suite 2 Reference Guide.

    The related parameters are: client_verify, server_verify

  • Protocol settings: The settings in this class determine the protocol-level settings of the SSL/TLS connection, for example, the permitted ciphers and protocol versions, session-reuse settings, and so on. Application-level Gateway has separate built-in classes for the client-side and the server-side SSL/TLS settings: Section 5.5.10, Class ClientTLSOptions in Proxedo Network Security Suite 2 Reference Guide and Section 5.5.22, Class ServerTLSOptions in Proxedo Network Security Suite 2 Reference Guide. For details and examples, see Section 3.2.6, Protocol-level TLS settings in Proxedo Network Security Suite 2 Reference Guide.

    The related parameters are: client_tls_options, server_tls_options

Application-level Gateway provides the following built-in encryption scenarios:

  • TwoSidedEncryption: Both the client-Application-level Gateway and the Application-level Gateway-server connections are encrypted. For details, see Section 5.5.25, Class TwoSidedEncryption in Proxedo Network Security Suite 2 Reference Guide.

  • ClientOnlyEncryption: Only the client-Application-level Gateway connection is encrypted, the Application-level Gateway-server connection is not. For details, see Section 5.5.8, Class ClientOnlyEncryption in Proxedo Network Security Suite 2 Reference Guide.

  • ServerOnlyEncryption: Only the Application-level Gateway-server connection is encrypted, the client-Application-level Gateway connection is not. For details, see Section 5.5.21, Class ServerOnlyEncryption in Proxedo Network Security Suite 2 Reference Guide.

  • ForwardStartTLSEncryption: The client can optionally request STARTTLS encryption. For details, see Section 5.5.16, Class ForwardStartTLSEncryption in Proxedo Network Security Suite 2 Reference Guide.

  • ClientOnlyStartTLSEncryption: The client can optionally request STARTTLS encryption, but the server-side connection is always unencrypted. For details, see Section 5.5.9, Class ClientOnlyStartTLSEncryption in Proxedo Network Security Suite 2 Reference Guide.

  • FakeStartTLSEncryption: The client can optionally request STARTTLS encryption, but the server-side connection is always encrypted. For details, see Section 5.5.15, Class FakeStartTLSEncryption in Proxedo Network Security Suite 2 Reference Guide.

For example, on configuring Encryption policies, see How to configure TLS proxying in PNS 2. For details on HTTPS-specific problems and the related solutions, see How to configure HTTPS proxying in PNS 2.