From AlliedWare plus rel. 5.4.7-1 onwards, the URL filtering feature of AR4050S and AR3050S Firewalls has been extended to include the ability to filter SSL-protected websites. For HTTPS requests, the original URLs are encrypted, therefore they are not visible for processing. Instead the domain name specified in TLS SNI (Transport Layer Security Server Name Indication) for each HTTPS request is used as the URL for matching. This filtering capability can be used with user defined white-lists/black lists, as well as with Kaspersky black lists.
From 5.4.7-1 onwards, the Web-Control feature has also been extended to include the ability to categorize SSL-protected websites. The categorization is performed based on the Server Name Indication (SNI) field contained within the Client Hello message during the Transport Layer Security (TLS) handshake, as the SNI is in clear-text and represents the domain part of the URL of the HTTPS request.
The SNI field is contained within the Client Hello message supplied during the TLS handshake when a client web browser first attempts to access a secure HTTPS server website. The SNI information is supplied in clear-text, and represents the domain part of the URL of the HTTPS request.
The SNI field is used by secure web servers hosting multiple secure websites, and allows a secure web server with a single public IP address to host multiple websites. It allows the secure web server to supply the correct digital certificate containing the correct domain name(s) to the requesting web browser client, so that the negotiation of the encrypted connection to the website can proceed. |