SSL error autolearning
The Citrix SWG appliance adds a domain to the SSL bypass list if learning mode is on. The learning mode is based on the SSL alert message received from either a client or an origin server. That is, learning is dependent on the client or server sending an alert message. There is no learning if an alert message is not sent. The appliance learns if any of the following conditions are met:
-
A request for a client certificate is received from the server.
-
Any one of following alerts is received as part of the handshake:
- BAD_CERTIFICATE
- UNSUPPORTED_CERTIFICATE
- CERTIFICATE_REVOKED
- CERTIFICATE_EXPIRED
- CERTIFICATE_UNKNOWN
- UNKNOWN_CA (If a client uses pinning, it sends this alert message if it receives a server certificate.)
- HANDSHAKE_FAILURE
To enable learning, you must enable the error cache and specify the memory reserved for this.
Enable learning by using the Citrix SWG GUI
-
Navigate to Secure Web Gateway > SSL.
-
In Settings, click Change advanced SSL settings.
-
In SSL Interception, select SSL Interception Error Cache.
-
In SSL Interception Max Error Cache Memory, specify the memory (in bytes) to reserve.
-
Click OK.
Enable learning by using the Citrix SWG CLI
At the command prompt type:
set ssl parameter -ssliErrorCache ( ENABLED | DISABLED ) -ssliMaxErrorCacheMem <positive_integer>
Arguments:
ssliErrorCache:
Enable or disable dynamic learning, and cache the learned information to make subsequent decisions to intercept or bypass requests. When enabled, the appliance performs a cache lookup to decide whether to bypass the request.
Possible values: `ENABLED, DISABLED`
Default value: `DISABLED`
ssliMaxErrorCacheMem:
Specify the maximum memory, in bytes, that can be used to cache the learned data. This memory is used as a LRU cache so that the old entries are replaced with new entries after the set memory limit is exhausted. A value of 0 decides the limit automatically.
Default value: 0
Minimum value: 0
Maximum value: 4294967294