Stats
Actions
Tags
Configures SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for threat detection, managing CA certificates, exemptions, and compliance.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-ssl-tls-inspection-configurationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
SSL/TLS 检查(也称为 SSL 解密、HTTPS 检查或 TLS 拆解与检查)拦截客户端与服务器之间的加密流量,以检查明文内容中的恶意软件、数据外泄、违规行为和命令与控制(C2)通信。检查设备充当受信任的中间人,终止来自客户端的 TLS 会话,检查明文内容,然后向目标服务器建立新的 TLS 会话。随着超过 95% 的 Web 流量已加密,缺乏 TLS 检查的组织面临巨大的安全盲区。本技能涵盖在下一代防火墙上配置 TLS 检查、部署受信任的 CA 证书、管理证书固定(Certificate Pinning)应用的豁免项,以及确保符合隐私法规要求。
SSL/TLS 检查(也称为 SSL 解密、HTTPS 检查或 TLS 拆解与检查)拦截客户端与服务器之间的加密流量,以检查明文内容中的恶意软件、数据外泄、违规行为和命令与控制(C2)通信。检查设备充当受信任的中间人,终止来自客户端的 TLS 会话,检查明文内容,然后向目标服务器建立新的 TLS 会话。随着超过 95% 的 Web 流量已加密,缺乏 TLS 检查的组织面临巨大的安全盲区。本技能涵盖在下一代防火墙上配置 TLS 检查、部署受信任的 CA 证书、管理证书固定(Certificate Pinning)应用的豁免项,以及确保符合隐私法规要求。
| 模式 | 方向 | 描述 |
|---|---|---|
| SSL 正向代理 | 出站 | 拦截客户端到互联网的 HTTPS 连接 |
| SSL 入站检查 | 入站 | 解密发往内部服务器的流量 |
| SSH 代理 | 双向 | 检查 SSH 隧道流量 |
客户端 防火墙/代理 Web 服务器
│ │ │
│──TLS ClientHello──────→│ │
│ │──TLS ClientHello───────→│
│ │←─TLS ServerHello────────│
│ │ (真实服务器证书) │
│ │ │
│ │ [验证服务器证书] │
│ │ [生成由内部 CA 签名 │
│ │ 的代理证书] │
│ │ │
│←─TLS ServerHello───────│ │
│ (代理签名证书) │ │
│ │ │
│──加密数据────────────────→│ [解密、检查] │
│ │──加密数据────────────────→│
│←─加密数据────────────────│ [解密、检查] │
│ │←─加密数据────────────────│
企业根 CA
└── 下级 CA(SSL 检查)
└── 动态生成的服务器证书
(CN 与请求的服务器匹配)
# 为 SSL 检查 CA 创建私钥
openssl genrsa -aes256 -out ssl-inspect-ca.key 4096
# 创建 CA 证书(5 年有效期)
openssl req -new -x509 -key ssl-inspect-ca.key \
-sha256 -days 1825 \
-out ssl-inspect-ca.crt \
-subj "/C=US/ST=California/O=Corp Inc/OU=Network Security/CN=Corp SSL Inspection CA" \
-extensions v3_ca \
-config <(cat <<EOF
[req]
distinguished_name = req_dn
x509_extensions = v3_ca
[req_dn]
[v3_ca]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,digitalSignature,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
)
# 验证证书
openssl x509 -in ssl-inspect-ca.crt -text -noout
Windows(组策略):
# 通过 GPO 将 CA 证书导入受信任根存储
# 计算机配置 > 策略 > Windows 设置 >
# 安全设置 > 公钥策略 > 受信任的根证书颁发机构
# 或通过 PowerShell 部署
Import-Certificate -FilePath "\\server\share\ssl-inspect-ca.crt" `
-CertStoreLocation "Cert:\LocalMachine\Root"
# 验证部署
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
$_.Subject -like "*SSL Inspection CA*"
}
macOS(MDM 配置文件或手动):
# 通过命令行安装
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain ssl-inspect-ca.crt
Linux:
# Ubuntu/Debian
sudo cp ssl-inspect-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# RHEL/CentOS
sudo cp ssl-inspect-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
# 将 CA 证书导入防火墙
# Device > Certificate Management > Certificates > Import
# 设置为正向信任 CA
set shared certificate SSL-Inspect-CA forward-trust-certificate yes
# 创建解密配置文件
set profiles decryption Corporate-Decrypt ssl-forward-proxy block-expired-certificate yes
set profiles decryption Corporate-Decrypt ssl-forward-proxy block-untrusted-issuer yes
set profiles decryption Corporate-Decrypt ssl-forward-proxy block-unknown-cert yes
set profiles decryption Corporate-Decrypt ssl-forward-proxy restrict-cert-exts yes
set profiles decryption Corporate-Decrypt ssl-forward-proxy strip-alpn no
# 最低 TLS 版本
set profiles decryption Corporate-Decrypt ssl-protocol-settings min-version tls1-2
set profiles decryption Corporate-Decrypt ssl-protocol-settings max-version max
# 解密策略 - 解密出站 HTTPS
set rulebase decryption rules Decrypt-Outbound from Trust to Untrust
set rulebase decryption rules Decrypt-Outbound source any
set rulebase decryption rules Decrypt-Outbound destination any
set rulebase decryption rules Decrypt-Outbound service any
set rulebase decryption rules Decrypt-Outbound action decrypt
set rulebase decryption rules Decrypt-Outbound type ssl-forward-proxy
set rulebase decryption rules Decrypt-Outbound profile Corporate-Decrypt
某些应用和类别必须从 TLS 检查中排除:
# 豁免证书固定应用
set rulebase decryption rules No-Decrypt-Pinned from Trust to Untrust
set rulebase decryption rules No-Decrypt-Pinned application [ apple-update microsoft-update dropbox-base ]
set rulebase decryption rules No-Decrypt-Pinned action no-decrypt
# 豁免隐私敏感类别
set rulebase decryption rules No-Decrypt-Privacy from Trust to Untrust
set rulebase decryption rules No-Decrypt-Privacy category [ health-and-medicine financial-services ]
set rulebase decryption rules No-Decrypt-Privacy action no-decrypt
# 豁免特定高信任域名
set rulebase decryption rules No-Decrypt-Trusted from Trust to Untrust
set rulebase decryption rules No-Decrypt-Trusted destination [ bank-of-america.com chase.com healthcare.gov ]
set rulebase decryption rules No-Decrypt-Trusted action no-decrypt
# 导入服务器证书和私钥
# Device > Certificate Management > Certificates > Import
# 入站检查策略
set rulebase decryption rules Inspect-WebServers from Untrust to DMZ
set rulebase decryption rules Inspect-WebServers destination [ 10.0.20.10 10.0.20.11 ]
set rulebase decryption rules Inspect-WebServers service service-https
set rulebase decryption rules Inspect-WebServers action decrypt
set rulebase decryption rules Inspect-WebServers type ssl-inbound-inspection
set rulebase decryption rules Inspect-WebServers profile Corporate-Decrypt
# 从客户端测试 - 验证证书颁发者是否为内部 CA
openssl s_client -connect www.google.com:443 -servername www.google.com 2>/dev/null | \
openssl x509 -noout -issuer -subject
# 预期输出(检查激活时):
# issuer= /C=US/O=Corp Inc/OU=Network Security/CN=Corp SSL Inspection CA
# subject= /CN=www.google.com
# 验证浏览器中无证书错误
# 检查防火墙解密日志是否有错误
# 使用 curl 测试
curl -v https://www.example.com 2>&1 | grep "issuer"
# 检查防火墙上的解密统计信息
show system setting ssl-decrypt memory
show system setting ssl-decrypt certificate-cache
show counter global filter category ssl
| 因素 | 影响 | 缓解措施 |
|---|---|---|
| CPU 开销 | 每会话增加 50-80% | 硬件 SSL 加速、专用解密设备 |
| 吞吐量降低 | 通常降低 40-60% | 根据峰值加密流量调整解密硬件规格 |
| 延迟增加 | 额外增加 1-5ms | 将检查设备部署在靠近用户处 |
| TLS 1.3 0-RTT | 无法检查 0-RTT 数据 | 阻止 0-RTT 或接受风险 |
| 证书固定 | 检查失败 | 添加到豁免列表 |
| QUIC/HTTP3 | 绕过传统代理 | 阻止 QUIC,强制使用 HTTP/2 |
npx claudepluginhub killvxk/cybersecurity-skills-zhConfigures SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for threat detection, including certificate management and exemption handling.
Configures SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for threat detection, with certificate management and exemption handling.
Configures SSL/TLS inspection on firewalls and proxies to decrypt, inspect, re-encrypt HTTPS traffic for threat detection. Manages certificates, exemptions, and privacy compliance during security audits.