Go to Configure Page

Go to Real time content security

Go to HTTPS Inspection

Global

Enabled

Enable or Disable this section.

• TRUE : Enable HTTPS inspection section.
• FALSE : Disable HTTPS inspection section.

Inspection Policies

Each CONNECT request is testedonly once for the applicability of the following entries. The first matching entry is applied, and the rest are ignored.

If the matching entry deems that a DeepScan should not be performed, the CONNECT request is handled WITHOUT inspecting the subsequent requests.

If, however the matching entry deems a DeepScan should be performed, the connection to the remote webserver is security checked for SSL properties as per the rule in the matched entry.

If the remote webserver fails to meet the desired standards, connection to that webserver is terminated.

Note: DeepScan should only be performed on encrypted connections, if the underlying application protocol is HTTP. Applications like Google drive, Subversion Client, WinScp etc., do not work if you attempt a DeepScan on them.

SafeSquid comes with some default Inspection policies as follows

• Disable SSL scanning for specific websites. Add websites under BYPASS HTTPS category to bypass SSL inspection
• Allow specific websites to be accessed with exceptions. SafeSquid may not have complete trusted CA certificates, in those cases websites can be accessed with exceptions.
• Enforce SSL scanning for all websites.

Enable or Disable above policies as per the requirement or add new policy for new requirement

Enabled

Enable or Disable this entry

• TRUE : Enable this entry.
• FALSE : Disable this entry.

Comment

For documentation, and future references, explain the relevance of this entry with your policies.

That is, by reading the policies, a future user can understand the purpose of that entry.

Profiles

Specify the Profiles applicable for this entry.

This entry will be applicable only if the connection has any one of the specified profiles.

Leave it Blank, to apply for all connections irrespective of any applied profile.

To avoid application to a connection that has a profile, use negated profile (!profile).

DeepScan

Decide if you want to enable scanning within encrypted SSL connections matching this entry.

• TRUE : Select this option to enable Deep Scanning.
• FALSE : Select this option to disable Deep Scanning.

Block Access to Sites which do not have an SSL Certificate

Decide whether Sites that do not have SSL Certificate should be blocked or not.

• TRUE : This is the default and safe option.
• FALSE : Select this option only if you want to allow SSL access to web-sites without SSL certificates.

Acceptable Errors in SSL Verification

SafeSquid verifies the SSL certificate to remote SSL web-servers.

You can specify here, the acceptable level of error.

Only in specific or exceptional cases choose anything besides X509_V_OK.

Block domain mismatch in the web-site SSL certificate

Decide whether domain name mismatch is to be allowed or not.

SafeSquid validates the DNS and Common Name in the SSL certificates supplied by the remote web-server.

Only in exceptional cases set this as FALSE.

• TRUE : This is the default and safe option.
• FALSE : Select this option only if you want to allow SSL access to web-sites that are using certificates issued to domains other than the web-site.

Example

Rule#1

I want to allow websites which are self-hosted with self-signed certificates

Connection with profile “ALLOW SELF SIGNED CERT WEBSITES” will bypass SSL error ERR_SELF_SIGNED_CERT_IN_CHAIN

Save Configuration 

No configuration required in Setup tab

Note : In new versions of SafeSquid released after June-2017, setup tab is removed. You will see only three subsections in HTTPS inspection section.

Setup

List of Security Passphrase(s) or Server Policies required to generate or load an existing ROOT CA SSL Certificate (RCSC).

The first matching entry below is used and the remaining is ignored.

RCSC is automatically created if none exists already.

If an RCSC exists, passphrase in the applicable entry is used to load it.

The Private key of the generated RCSC can be used only with the passphrase used to generate it.

The passphrase prevents the private key of your RCSC from being stolen or fraudulent use.

After the RCSC has been successfully generated, the public key of your RCSC can be downloaded from http://safesquid.cfg/safesquid.cer

The public key must be installed on all the Web-Clients and browsers that are subjected to Deep Scan.

Click on Add below, to add a new entry.

Enabled

Enable or Disable this entry

• TRUE : Enable this entry.
• FALSE : Disable this entry.

Comment

For documentation, and future references, explainthe relevance of this entry with your policies.

Proxy Host

Please enter the host name of the proxy server as specified in the Startup Parameters.

Encrypted Password

Please enter the Encrypted password for disk based caching of SSL certificates.

Generate SSL certificates from self service portal

First you have to generate SSL certificates from self-service portal  before configuring HTTPS inspection. 

Setup your SSL certificates from self-service portal

SSL Certs/Cache

Download SSL Certificate from SafeSquid User Interface

Download : Download the SafeSquid certificate.

Upload : Upload the SafeSquid Certificate.

Cache Refresh : Refresh the cache.

Importing SafeSquid SSL certificate into your browser

Install SafeSquid SSL certificates into the browsers. If you did not install certificate into the browser and HTTPS inspection is enabled, then you will get an error while accessing the HTTPS websites.

Importing into  Mozilla Firefox

Importing into Internet Explorer Or Chrome Browser