Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

DPI-SSL Server cipher suites

jst3751jst3751 Newbie ✭
in Mid Range Firewalls

In a website running on a Windows Server 2012 R2 IIS behind a NSA2600 with DPI-SSL Server properly configured and running and a user on the internet, does it matter if the cipher suite negotiated and used between the user and the NSA2600 is different than the cipher suite negotcated and used between the NSA2600 and the webserver?

Category: Mid Range Firewalls
Reply

Answers

  • shiprasahu93shiprasahu93 Moderator

    Hello @jst3751,

    No, it should not matter. With either client DPI SSL or server DPI SSL, every SSL connection is broken down into two and the SonicWall acts as a man in the middle and handles both of those SSL connections simultaneously.

    Especially with server DPI SSL, the communication between the firewall and the server need not be over SSL as well, it can be in clear text.

    server dpi ssl.png

    You can check the 'Using the Cleartext option' in the KB below that explains the same.

    https://www.sonicwall.com/support/knowledge-base/how-to-configure-server-dpi-ssl/170505900099021/

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • jst3751jst3751 Newbie ✭

    More information:

    I am trying to figure out what the difference is in implementation between these cipher suites:

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

    The first one is an available cipher suite in a Sonicwall NSA 2600 with firmware 6.5.4.6-79n

    The last 2 are what are listed as available and supported on a Windows Server 2012 R2.

    I am trying to make sure that the Sonicwall and the server are both using the same cipher suites for the purposes of DPI-SSL.

  • shiprasahu93shiprasahu93 Moderator

    Hello @jst3751,

    That was really interesting. I honestly did not know much about this and went through a few online articles on the same.

    This following discussion might help you. Again, I don't have something specific from SonicWall side to add to this as this is more of a general technology related question. But, I would say give this is a read, looks really helpful.

    https://security.stackexchange.com/questions/203128/what-are-the-p-values-in-some-cipher-string

    Thanks!!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • jst3751jst3751 Newbie ✭

    Wow thanks for finding that great discussion.

    2020-06-10_14-48-32.jpg

    So once again Microsoft thinks they are better than everyone else by including a bit of information neither required or desired in that field.

  • jst3751jst3751 Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/1875#Comment_1875

    I realize it "should not matter" but I am working on resolving constant events being logged in the Windows Server application log concern certificate mismatch. I wanted to make sure before investigating that problem that it was not somehow caused or tied to different cipher suites being used.

  • shiprasahu93shiprasahu93 Moderator

    @jst3751,

    Understood. If you have any other questions, let me know.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.