Web Protection - SSL/TLS
This topic describes how Incapsula handles secure communication.
In this topic:
To support secure websites (HTTPS), Incapsula must host a valid SSL certificate for the website domain. Incapsula supports two types of certificates for this purpose:
As part of the activation process, Incapsula requires that a secure website add its domain to an existing Incapsula certificate. This certificate will be presented to any visitor trying to access your website, indicating that the connection is secure.
The Incapsula certificate is used by default for both SNI and non-SNI supporting clients. Server Name Indication (SNI) is a TLS extension that enables a client to indicate the hostname it wants to connect to at the start of the handshake process. Many older browsers do not support SNI. If you choose to provide us with your existing domain certificate in addition to the Incapsula certificate, your certificate is used for SNI-supporting clients, and the Incapsula certificate continues to be used for non-SNI supporting clients.
The process for adding your domain to an Incapsula certificate is triggered automatically from the Add Site wizard when you first onboard your website to Incapsula, or using the Add site API. This process requires that you prove that you are the owner of the domain you are adding to Incapsula using one of three available methods:
- Email validation: A validation email will be sent to one of the email addresses associated with your domain. A list of email addresses is displayed during the process. If the addresses are no longer in use or you wish to use a different one, contact Support to request the change. The requested email address must be listed in your domain’s Whois record.
- DNS validation: You will be provided with a unique DNS entry to add to your domain DNS zone.
- Meta tag validation: You will be provided with a unique HTML string to be added to one of the URLs on your website.
If you did not complete SSL validation during the onboarding process and your site is already onboard with Incapsula, email validation is the only available option.
Once you have chosen a validation method and completed the validation steps, Incapsula automatically adds your domain to the Incapsula certificate and provides DNS instructions. This is the final step in setting up your domain on Incapsula.
Original domain certificate (optional)
You may choose to add your existing domain certificate to Incapsula in addition to the Incapsula-generated certificate. This can be done by uploading the certificate and private keys to Incapsula via the management console. For details, see Upload a Custom Certificate for Your Website on Incapsula.
It is important to note that these uploaded certificates are presented only to SNI-supporting clients. A list of SNI-supporting clients can be found here: https://en.wikipedia.org/wiki/Server_Name_Indication.
HTTPS traffic arrives at Incapsula, where Incapsula terminates the SSL connection. It decrypts the traffic, analyzes it, and filters out malicious visitors and requests. The next step for legitimate requests is for Incapsula to return a response to the visitor from the cache, or forward the request on to the origin server if necessary. Incapsula encrypts the traffic at this point before sending it on.
All communication between visitors <--> Incapsula (Connection A) is handled by the certificates stored in Incapsula. Communication between Incapsula <--> your site (Connection B) is handled by the original domain certificate located on your web server.
Does Incapsula add latency to SSL termination?
We employ the following advanced techniques, designed to speed up the process and minimize latency:
|Session resumption||A normal SSL handshake requires 2 round trips (4 packets). Session resumption enables the client and the server to complete an SSL handshake for connections after the first connection (2nd, 3rd, etc) in one round trip, by reusing some of the work done when the first connection was established.|
|OCSP stapling||When establishing SSL connections, clients need to verify the certificate presented by the server. One of the checks the client makes is to ensure the certificate was not revoked by its CA. In order to do that, the client needs to contact the CA, which slows down the connection process. OCSP allows the server to check the revocation status of the certificate and send it to the client as part of the connection, so the client doesn't have to contact the CA itself.|
|HTTP/2||HTTP/2 enables a client to send multiple simultaneous requests over a single SSL connection. The result is that the HTTP/2 enabled clients do not need to open as many connections as HTTP/1.x clients.|
|Optimized hardware||Incapsula servers are optimized to run encryption related workloads by offloading some of the encryption workload to hardware.|
When traffic arrives at Incapsula, can Incapsula decrypt it and send me clear traffic?
No. To provide data security and meet PCI requirements, encryption is required during all legs of the journey.
Can our origin server send clear traffic to Incapsula and have Incapsula encrypt it before sending it back to visitors?
No, for the same reason.
Do Incapsula and your origin servers need to use the same TLS versions and cipher suites?
No. The connection between visitors <--> Incapsula, and the connection between Incapsula <--> your origin server are two separate connections. Each segment can use a different TLS version and cipher suite.
TLS 1.3, 1.2, 1.1, 1.0, and SSLv3 are supported for connectivity between clients (visitors) and the Incapsula service. TLS 1.2 is the minimum supported version, by default.
PCI-DSS v3.2 compliance
PCI-DSS compliance requires disabling the use of TLS 1.0 as of July 1, 2018. To comply with this requirement, and due to the known vulnerabilities in TLS 1.1, Incapsula has defined TLS 1.2 as the default minimum supported version. This also applies to the Incapsula Management Console and the Incapsula API.
Connectivity between a website’s origin server and the Incapsula service is the responsibility of the Incapsula customer.
A client with an unsupported TLS version will not be able to establish a connection to Incapsula. The client (a browser, for example) may show the following SSL error message: ERR_SSL_VERSION_OR_CIPHER_MISMATCH, and will not be able to access the site.
Enterprise and Business accounts that need to keep supporting TLS v1.0 and TLS v1.1 can opt out and choose to enable support for all TLS versions, on a per site basis. Opting out means that clients will be able to establish connections to your site using TLS v1.0, v1.1, and v1.2. This is not recommended. To remain PCI compliant, do not enable this option.
Choosing to enable the option to support all TLS versions may require migration of your sites to the new Incapsula service network, which offers additional security options, customization, and visibility. As a result, you may be required to update the following:
- Update of the A-record for your domain to point to the new IPs provided by Incapsula.
- Revalidation of your Incapsula-generated certificate/SAN for your opted-out sites: When possible, SSL certificates currently in use will be moved automatically to the new platform. For certificates that cannot be moved automatically, you will be required to revalidate ownership of your domain in order to issue new SSL certificates. This typically requires that you add the relevant authorization string in a DNS TXT record to be viewed by the CA. You will receive instructions on how to complete the revalidation.
Note: If you want to set TLS 1.1 as the minimum supported version for your site, contact Support.
To opt out of TLS 1.2 enforcement, enable support for all TLS versions:
From the Incapsula Management Console:
- Enable the Support All TLS Versions option for the account. For details, see Account Settings.
- Enable the Support All TLS Versions option for each site that you want to support versions of TLS earlier than 1.2. For details, see Web Protection - General Settings.
Using the API:
- Use the Modify Account Configuration operation in Account Management API.
- Use the Set support for all TLS versions operation in Site Management API.