Block Traffic on Secure Connections with an Invalid Certificate
This rule set allows you to configure which rules are applied during the certificate verification process and which web requests can skip the rules and continue to HTTPS decryption.
Before you begin
For this rule set to take effect, you must provide at least one certificate authority.
NOTE: From this rule set, you can open and configure the Certificate Verification feature.
- In Skyhigh CASB, select Policy > Web Policy > Lists.
- In the policy tree, select HTTPS Scanning > Certificate Verification.
- Optionally configure criteria to limit the scope of this rule set.
- Select the certificate verification rules that you want to be enabled. When selected, the rules:
- Skip certificate verification on these Hosts or Domains — Skips certificate verification rules for web requests sent to the hosts or domains in this list.
- Verify certificate for these Private Applications — The default Web policy bypasses the certificate validations for private applications. To validate its certificate, you can add private applications to the list. This option is available only when you have the Skyhigh Private Access license.
- Trust Skyhigh Security's List of Certificate Authorities — Trusts certificates having a certificate authority in the Skyhigh Security list of trusted certificate authorities.
- Block Self Signed Certificates — Blocks web requests having a self-signed certificate.
- Block Expired Certificates (7 days grace period) and Expired CA Certificates — Blocks web requests having an expired server certificate (after seven days) or an expired CA certificate.
- Block Invalid Certificate Chains — Blocks web requests having an invalid certificate chain.
- Block Revoked Certificates — Blocks web requests having a certificate chain when one of the certificates in the chain has been revoked.
- Strict Certificate Chain Verification (Block) — Blocks web requests having a certificate chain when one of the certificates in the chain has an unknown revocation status or the chain is incomplete.
- Block Unknown Certificate Authorities — Blocks web requests having a certificate chain when none of the certificate authorities issuing the certificates in the chain are known.
- Block Untrusted Certificate Authorities — Blocks web requests having a certificate chain when the first known certificate authority in the chain is not trusted.
- Block Weak Key Exchange — Blocks web requests having a certificate that uses a weak key exchange algorithm.
- Block Unsafe Certificate Signatures — Blocks web requests having a certificate signed using an unsafe algorithm.
- Block Common Name Mismatch — Blocks web requests having a certificate whose common name does not match the host name in the URL.
- Configure the lists associated with the rules as needed.
Changes to the policy tree, rule sets, or rules are automatically saved. You can publish them to the cloud now or keep working and publish later.