Configures SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for threat detection, managing CA certificates, exemptions, and compliance.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
SSL/TLS 检查(也称为 SSL 解密、HTTPS 检查或 TLS 拆解与检查)拦截客户端与服务器之间的加密流量,以检查明文内容中的恶意软件、数据外泄、违规行为和命令与控制(C2)通信。检查设备充当受信任的中间人,终止来自客户端的 TLS 会话,检查明文内容,然后向目标服务器建立新的 TLS 会话。随着超过 95% 的 Web 流量已加密,缺乏 TLS 检查的组织面临巨大的安全盲区。本技能涵盖在下一代防火墙上配置 TLS 检查、部署受信任的 CA 证书、管理证书固定(Certificate Pinning)应用的豁免项,以及确保符合隐私法规要求。
Configure SSL/TLS inspection on firewalls and proxies to decrypt, inspect, re-encrypt HTTPS traffic, manage CA certificates, exemptions, and ensure privacy compliance for threat detection.
Configures SSL/TLS inspection on firewalls and proxies to decrypt, inspect, re-encrypt HTTPS traffic for threat detection. Manages certificates, exemptions, and privacy compliance during security audits.
Audit ZIA SSL inspection rules to identify applications, URL categories, users, or groups subject to INSPECT, DO_NOT_INSPECT, or DO_NOT_DECRYPT actions.
Share bugs, ideas, or general feedback.
SSL/TLS 检查(也称为 SSL 解密、HTTPS 检查或 TLS 拆解与检查)拦截客户端与服务器之间的加密流量,以检查明文内容中的恶意软件、数据外泄、违规行为和命令与控制(C2)通信。检查设备充当受信任的中间人,终止来自客户端的 TLS 会话,检查明文内容,然后向目标服务器建立新的 TLS 会话。随着超过 95% 的 Web 流量已加密,缺乏 TLS 检查的组织面临巨大的安全盲区。本技能涵盖在下一代防火墙上配置 TLS 检查、部署受信任的 CA 证书、管理证书固定(Certificate Pinning)应用的豁免项,以及确保符合隐私法规要求。
| 模式 | 方向 | 描述 |
|---|---|---|
| SSL 正向代理 | 出站 | 拦截客户端到互联网的 HTTPS 连接 |
| SSL 入站检查 | 入站 | 解密发往内部服务器的流量 |
| SSH 代理 | 双向 | 检查 SSH 隧道流量 |
客户端 防火墙/代理 Web 服务器
│ │ │
│──TLS ClientHello──────→│ │
│ │──TLS ClientHello───────→│
│ │←─TLS ServerHello────────│
│ │ (真实服务器证书) │
│ │ │
│ │ [验证服务器证书] │
│ │ [生成由内部 CA 签名 │
│ │ 的代理证书] │
│ │ │
│←─TLS ServerHello───────│ │
│ (代理签名证书) │ │
│ │ │
│──加密数据────────────────→│ [解密、检查] │
│ │──加密数据────────────────→│
│←─加密数据────────────────│ [解密、检查] │
│ │←─加密数据────────────────│
企业根 CA
└── 下级 CA(SSL 检查)
└── 动态生成的服务器证书
(CN 与请求的服务器匹配)
# 为 SSL 检查 CA 创建私钥
openssl genrsa -aes256 -out ssl-inspect-ca.key 4096
# 创建 CA 证书(5 年有效期)
openssl req -new -x509 -key ssl-inspect-ca.key \
-sha256 -days 1825 \
-out ssl-inspect-ca.crt \
-subj "/C=US/ST=California/O=Corp Inc/OU=Network Security/CN=Corp SSL Inspection CA" \
-extensions v3_ca \
-config <(cat <<EOF
[req]
distinguished_name = req_dn
x509_extensions = v3_ca
[req_dn]
[v3_ca]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,digitalSignature,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
)
# 验证证书
openssl x509 -in ssl-inspect-ca.crt -text -noout
Windows(组策略):
# 通过 GPO 将 CA 证书导入受信任根存储
# 计算机配置 > 策略 > Windows 设置 >
# 安全设置 > 公钥策略 > 受信任的根证书颁发机构
# 或通过 PowerShell 部署
Import-Certificate -FilePath "\\server\share\ssl-inspect-ca.crt" `
-CertStoreLocation "Cert:\LocalMachine\Root"
# 验证部署
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
$_.Subject -like "*SSL Inspection CA*"
}
macOS(MDM 配置文件或手动):
# 通过命令行安装
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain ssl-inspect-ca.crt
Linux:
# Ubuntu/Debian
sudo cp ssl-inspect-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# RHEL/CentOS
sudo cp ssl-inspect-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
# 将 CA 证书导入防火墙
# Device > Certificate Management > Certificates > Import
# 设置为正向信任 CA
set shared certificate SSL-Inspect-CA forward-trust-certificate yes
# 创建解密配置文件
set profiles decryption Corporate-Decrypt ssl-forward-proxy block-expired-certificate yes
set profiles decryption Corporate-Decrypt ssl-forward-proxy block-untrusted-issuer yes
set profiles decryption Corporate-Decrypt ssl-forward-proxy block-unknown-cert yes
set profiles decryption Corporate-Decrypt ssl-forward-proxy restrict-cert-exts yes
set profiles decryption Corporate-Decrypt ssl-forward-proxy strip-alpn no
# 最低 TLS 版本
set profiles decryption Corporate-Decrypt ssl-protocol-settings min-version tls1-2
set profiles decryption Corporate-Decrypt ssl-protocol-settings max-version max
# 解密策略 - 解密出站 HTTPS
set rulebase decryption rules Decrypt-Outbound from Trust to Untrust
set rulebase decryption rules Decrypt-Outbound source any
set rulebase decryption rules Decrypt-Outbound destination any
set rulebase decryption rules Decrypt-Outbound service any
set rulebase decryption rules Decrypt-Outbound action decrypt
set rulebase decryption rules Decrypt-Outbound type ssl-forward-proxy
set rulebase decryption rules Decrypt-Outbound profile Corporate-Decrypt
某些应用和类别必须从 TLS 检查中排除:
# 豁免证书固定应用
set rulebase decryption rules No-Decrypt-Pinned from Trust to Untrust
set rulebase decryption rules No-Decrypt-Pinned application [ apple-update microsoft-update dropbox-base ]
set rulebase decryption rules No-Decrypt-Pinned action no-decrypt
# 豁免隐私敏感类别
set rulebase decryption rules No-Decrypt-Privacy from Trust to Untrust
set rulebase decryption rules No-Decrypt-Privacy category [ health-and-medicine financial-services ]
set rulebase decryption rules No-Decrypt-Privacy action no-decrypt
# 豁免特定高信任域名
set rulebase decryption rules No-Decrypt-Trusted from Trust to Untrust
set rulebase decryption rules No-Decrypt-Trusted destination [ bank-of-america.com chase.com healthcare.gov ]
set rulebase decryption rules No-Decrypt-Trusted action no-decrypt
# 导入服务器证书和私钥
# Device > Certificate Management > Certificates > Import
# 入站检查策略
set rulebase decryption rules Inspect-WebServers from Untrust to DMZ
set rulebase decryption rules Inspect-WebServers destination [ 10.0.20.10 10.0.20.11 ]
set rulebase decryption rules Inspect-WebServers service service-https
set rulebase decryption rules Inspect-WebServers action decrypt
set rulebase decryption rules Inspect-WebServers type ssl-inbound-inspection
set rulebase decryption rules Inspect-WebServers profile Corporate-Decrypt
# 从客户端测试 - 验证证书颁发者是否为内部 CA
openssl s_client -connect www.google.com:443 -servername www.google.com 2>/dev/null | \
openssl x509 -noout -issuer -subject
# 预期输出(检查激活时):
# issuer= /C=US/O=Corp Inc/OU=Network Security/CN=Corp SSL Inspection CA
# subject= /CN=www.google.com
# 验证浏览器中无证书错误
# 检查防火墙解密日志是否有错误
# 使用 curl 测试
curl -v https://www.example.com 2>&1 | grep "issuer"
# 检查防火墙上的解密统计信息
show system setting ssl-decrypt memory
show system setting ssl-decrypt certificate-cache
show counter global filter category ssl
| 因素 | 影响 | 缓解措施 |
|---|---|---|
| CPU 开销 | 每会话增加 50-80% | 硬件 SSL 加速、专用解密设备 |
| 吞吐量降低 | 通常降低 40-60% | 根据峰值加密流量调整解密硬件规格 |
| 延迟增加 | 额外增加 1-5ms | 将检查设备部署在靠近用户处 |
| TLS 1.3 0-RTT | 无法检查 0-RTT 数据 | 阻止 0-RTT 或接受风险 |
| 证书固定 | 检查失败 | 添加到豁免列表 |
| QUIC/HTTP3 | 绕过传统代理 | 阻止 QUIC,强制使用 HTTP/2 |