Skip to main content
Skyhigh Security

Fine-tune a Handshake Over Secure Connections

Configure the settings used to negotiate an initial SSL/TLS handshake and to retry the negotiation with alternative settings.

  1. In Skyhigh CASB, select Policy > Web Policy > Feature Configuration.
  2. Select Certificate Verification Options > Default Certificate Verification.
  3. From the Actions drop-down list, select Clone and Edit.
  4. Provide a name for the feature configuration and an optional comment.
  5. Configure the Protocol Settings:
    • Minimum SSL Version allowed — Select the latest TLS version allowed. Only select SSL 3.0 for backward compatibility.
    • Maximum SSL Version allowed — Select the earliest TLS version allowed.
    • TLS cipher list — (Optional) Provide a string of OpenSSL symbols.
      This information might be needed to decrypt data received from servers that do not support the EDH (Ephemeral Diffie-Hellman) method.
    • SSL session cache TTL — Specify how long in seconds the SSL session parameters can be stored in the cache.
  6. When these settings are selected, the certificate verification options feature:
    • Allow handshake and renegotiation with servers that do not implement RFC 5746 — Allows renegotiation of an existing handshake with servers that do not comply with RFC 5746, an extension of the TLS protocol.
    • Send empty plaintext fragment — Includes an empty plaintext fragment in communications.
    • Allow legacy signatures in the handshake — Allows legacy signatures to be used in the initial handshake.
    • Identify and bypass Skype for Business traffic — Identifies Skype for Business traffic and allows it to bypass certificate verification.
  7. Select Use alternative handshake settings after handshake failure to allow the certificate verification options feature to try negotiating a handshake again, while providing different values for these settings:
    • Minimum SSL Version allowed
    • Maximum SSL Version allowed
    • Server cipher list
    • Select these options to make negotiating a handshake easier after the initial try:
      • Send empty plaintext fragment
      • Allow legacy signatures in the handshake
      • Include indication that previous handshake failed
  8. Click Save.
    The named Certificate Verification Options configuration is saved.

You can publish saved changes to the cloud now or keep working and publish later.

  • Was this article helpful?