About SSL main settings
The main SSL/TLS optimization settings are under Optimization > SSL: SSL Main Settings. Complete the configuration on client-side and server-side appliances, and then restart the service.
Enable TLS Optimization
Enables optimization of secure traffic, which accelerates applications that use TLS for encryption. Using in-path rules, you can choose to enable TLS optimization only on certain sessions (based on source and destination addresses, subnets, and ports), on all sessions, or on no sessions at all. A TLS session that is not optimized simply passes through unmodified. Disabled by default.
Enable TLS Profiling
Enables reporting for SSL/TLS connections.
OCSP Stapling Support
Enables Online Certificate Status Protocol (OCSP) stapling. OCSP is an alternative approach to obtain certificate status from the OCSP servers instead of the origin server’s Public Key Infrastructure (PKI). Enable this setting on server-side appliances.
• Off disables OCSP. Disabled by default.
• Strict bypasses the connection if the origin server does not support OCSP.
• Strict AIA bypasses the connection if the certificate included an Authority Information Access (AIA) field but the origin server failed to send an OCSP response. If the certificate did not include an AIA field and the origin server failed to send an OCSP response, the connection is not dropped because the server-side appliance does not expect an OCSP response.
• Loose does not bypass the connection if the origin server does not support OCSP.
About automatically generated and signed certificates
Appliances include a module that can automatically generate self-signed certificates when they encounter requests for traffic from a host for which SteelHead does not have a matching server proxy certificate. The appliance configured with the signing CA certificate clones the certificate sent by the initiating appliance, returns a copy to the initiating appliance, signs the clone with its local signing CA, and then sends the clone to the initiating appliance. This time, the initiating appliance recognizes the certificate as signed by a trusted CA and acceleration continues. The signing appliance retains an entry in its CA trusted root store for future connections, and the entry persists if the appliance is restarted.
A secondary appliance can also be configured to provide failover support for this feature. In the event that the primary SteelHead with the certificate server has an outage, a secondary SteelHead can be configured to take over and perform the certificate generation until the primary is up and running again.
This feature behaves much like the SSL Simplification feature in Client Accelerator, with the exception that you must install the signing appliance’s CA certificate on all of its peer appliances. Either server-side or client-side appliances may serve as the signing appliance hosting the CA. You can even place this module on a remote appliance or even a non-Riverbed entity.