About SSL main settings
The main SSL/TLS optimization settings are under Optimization > SSL: SSL Main Settings. Complete the configuration on client-side and server-side appliances, and then restart the service.
Enable TLS Optimization
Enables optimization of secure traffic, which accelerates applications that use TLS for encryption. Using in-path rules, you can choose to enable TLS optimization only on certain sessions (based on source and destination addresses, subnets, and ports), on all sessions, or on no sessions at all. A TLS session that is not optimized simply passes through unmodified. Disabled by default.
Enable TLS Profiling
Enables reporting for SSL/TLS connections.
OCSP Stapling Support
Enables Online Certificate Status Protocol (OCSP) stapling. OCSP is an alternative approach to obtain certificate status from the OCSP servers instead of the origin server’s Public Key Infrastructure (PKI). Enable this setting on server-side appliances.
• Off disables OCSP. Disabled by default.
• Strict bypasses the connection if the origin server does not support OCSP.
• Strict AIA bypasses the connection if the certificate included an Authority Information Access (AIA) field but the origin server failed to send an OCSP response. If the certificate did not include an AIA field and the origin server failed to send an OCSP response, the connection is not dropped because the server-side appliance does not expect an OCSP response.
• Loose does not bypass the connection if the origin server does not support OCSP.
About automatically generated and signed certificates
SteelHead appliances can automatically generate self-signed certificates when they encounter requests for traffic from a host that doesn't have a matching server proxy certificate. In this process, the appliance with the signing Certificate Authority (CA) certificate clones the certificate sent by the initiating appliance, signs it with its local CA, and then sends it back to the initiating appliance. This allows the initiating appliance to recognize the certificate as signed by a trusted CA, enabling continued acceleration. The signing appliance saves an entry in its CA trusted root store, which persists even after a restart.
Additionally, a secondary appliance can be set up to provide failover support for this feature. If the primary appliance experiences an outage, the secondary appliance can take over certificate generation until the primary appliance is operational again.
This process is similar to SSL Simplification in Client Accelerator, with the key difference being that the CA certificate of the signing appliance must be installed on all its peer appliances. Either server-side or client-side appliances can serve as the signing appliance, and this feature can even be implemented on a remote appliance or a non-Riverbed entity.