What is SSL?
SSL (Secure Sockets Layer) is the security protocol and technology used for encrypting the connection between web servers and web browsers. It was originally developed by Netscape in the 1994. All data passing between the web server and the web browser over this connection remains private and cannot (without extreme difficulty) be deciphered using a man-in-the-middle attack. SSL is used to protect millions of websites and their online transactions with their customers and makes routine financial transactions over the public Internet possible.
To create an SSL connection, a web server requires a valid SSL Certificate which identities your website and your company. The web server can then generate two cryptographic keys, a Private Key and a Public Key.
The Public Key is not secret and is included with your Certificate Signing Request (CSR), a file that also contains details about your website and your company. You submit the CSR to one of the valid Certificate Authorities. The Certification Authority validates your information and issues an SSL Certificate, enabling your web server to match your SSL Certificate to your Private Key. Your web server can now establish encrypted links with your customer's web browsers.
The complexities of the SSL protocol remain invisible to your customers. Instead a key or lock icon on the web browser informs the user that they are currently protected by an SSL encrypted session. Clicking this icon displays the SSL Certificate and its details.
Typically an SSL Certificate will contain your domain name, company name, address, city, state and country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it retrieves the website's SSL Certificate and checks that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser displays a warning indicating that the website is insecure.
SSL versus TLS
Although SSL continues to be the commonly used term to describe the security technology used to protect website communication, all versions of the SSL protocol itself are now obsolete and have been superseded by the TLS (Transport Layer Security) protocol. The old SSL protocol has known vulnerabilities and should not be configured on servers and systems using the public Internet. TLS versions 1.0, 1.1, and 1.2 are incompatible with any version of SSL and cannot create secure links with systems supporting only SSL.
The Barracuda Load Balancer ADC supports a broad range of cipher suites (or algorithms). The first step in setting up a secure connection protected by TLS is for the client and server to exchange encryption keys and to mutually select a cipher to use to encrypt data. The following terminology is commonly used to describe the various cryptographic cypher suites:
- RSA—Public-key cryptosystem and used for secure data transmission
- Advanced Encryption Standard (AES)—Symmetric key algorithm (the same key is used for both encrypting and decrypting data) for the encryption of electronic data using different key (128, 192 and 256 bits) and block sizes. Supersedes DES.
- Diffie-Hellman Exchange (DHE)—Key agreement protocol allowing two parties, each having a public-private key pair, to establish a shared secret over a public channel
- Elliptic Curve Diffie-Hellman Exchange (ECDHE)—Key agreement protocol allowing two parties, each having an elliptic curve public-private key pair, to establish a shared secret over a public channel
- Elliptic Curve Digital Signature Algorithm (ECDSA)—Asymmetric digital signature algorithm using a private key in the authenticator and a public key used by the host to verify the authenticator
- Galois/Counter Mode (GCM)—Authenticated encryption algorithm for symmetric key cryptographic block ciphers with a block size of 128 bits
- Secure Hash Algorithm (SHA)—Set of hash algorithms developed by the National Institutes of Standards and Technology (NIST)
- Camellia—Symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 or 256 bits
Ciphers available on the Barracuda Load Balancer ADC
The Barracuda Load Balancer ADC uses OpenSSL-1.0.2 in firmware release 6.2 and the ciphers listed in this section are the ones that are currently available. The ciphers available can change with each firmware release. The ADC attempts to use the ciphers listed at the top first in UI when making SSL connections.
Barracuda recommends using the following cipher order (again with the strongest ciphers listed at the top and the weakest at the bottom).
ECDHE-based ciphers (RSA authority):
ECDHE-based ciphers (ECDSA authority):
DHE based ciphers (RSA authority):
Remaining RSA key exchange cipher suites:
How do you configure the SSL settings for your Barracuda Load Balancer ADC service?
This section describes how to configure the SSL settings for a Barracuda Load Balancer ADC service. These settings can be configured for the Secure TCP Proxy, HTTPS, Instant SSL, and FTP SSL services. Please see the online help for complete information about each configuration option.