Glossary entry (derived from question below)
Russian term or phrase:
Нерасшифровываемые SSL-хосты
English translation:
Non-decrypted SSL hosts
Added to glossary by
Yulia Savelieva
Feb 25, 2018 20:44
6 yrs ago
Russian term
Нерасшифровываемые SSL-хосты
Russian to English
Tech/Engineering
IT (Information Technology)
Information Security / DL
No context other than it's a user interface element of a data protection system.
TIA
TIA
Proposed translations
(English)
3 +2 | Non-decryptable SSL hosts | Vladyslav Golovaty |
3 | encrypted SSL host headers/names | Lazyt3ch |
Proposed translations
+2
2 mins
Selected
Non-decryptable SSL hosts
https://serverfault.com/questions/788127/configure-squid-to-...
--------------------------------------------------
Note added at 3 mins (2018-02-25 20:48:39 GMT)
--------------------------------------------------
Squid-3.5 can do that with the "ssl_bump splice" action if the traffic actually is TLS but not decryptable ...
--------------------------------------------------
Note added at 6 days (2018-03-04 16:18:59 GMT) Post-grading
--------------------------------------------------
Thank you so much!
--------------------------------------------------
Note added at 3 mins (2018-02-25 20:48:39 GMT)
--------------------------------------------------
Squid-3.5 can do that with the "ssl_bump splice" action if the traffic actually is TLS but not decryptable ...
--------------------------------------------------
Note added at 6 days (2018-03-04 16:18:59 GMT) Post-grading
--------------------------------------------------
Thank you so much!
Peer comment(s):
agree |
Jack Doughty
1 hr
|
Thank you very much, Jack!
|
|
agree |
Turdimurod Rakhmanov
4 hrs
|
Thank you very much, Turdimurod!
|
4 KudoZ points awarded for this answer.
5 hrs
encrypted SSL host headers/names
How SNI Changed the Concept of Hosting HTTPS Web Sites? – Support Engineer Days Online
https://blogs.msdn.microsoft.com/omnia/2012/11/10/how-sni-ch...
== BEGIN QUOTE ==
The only two options to host multiple SSL sites on IIS:
1) Assign different IP addresses to different web sites. In that case you can assign different certificates to the different web sites because IIS can separate the web sites to serve for requests using the requested site’s IP address.
2) Use SAN or Wildcard certificate to host multiple web sites on same IP address and port (e.g.:443) then you need to use SSL Host Headers to separate multiple web sites.
For SAN Certificate we would add multiple host names (Domains) or subdomains like Contoso.com, DagHc1,DagHc1.Contoso.com
<...>
If you are using the same IP address and the same port (e.g.: 443) then when the request arrives to IIS, it cannot understand which site is requested because the requested host name is also encrypted in SSL session. So, IIS first needs to decrypt the request to have the host name, then it can identify the correct web site because it would have the requested host name. In other words, IIS understands which site to be served after decrypting the request with SSL and then is able to send the request to the correct web site. This means that when the request comes to the web server, as IIS do not know which site to serve, IIS cannot verify which SSL certificate to decrypt the request so there is a need to have just one certificate for decryption process with only one IP address and same port.
== END QUOTE ==
Run Multiple Websites On The Same IP Address And Port Even Over SSL - Steve Fenton
https://www.stevefenton.co.uk/2011/06/run-multiple-websites-...
== BEGIN QUOTE ==
Once you have run this for each web site, you should run an IIS Reset and make sure that all of your web sites have started. If you have forgotten one of the steps listed in this article, one of your web sites will refuse to start with a message about not being able to write a file that already exists.
What this process changes is that it allows IIS to decrypt the host-header using the shared certificate before it decides which web site can service the request. With the decrypted host header, IIS can route the request to the correct web site.
== END QUOTE ==
Please beware, it’s mostly a wild guess.
--------------------------------------------------
Note added at 5 hrs (2018-02-26 02:02:47 GMT)
--------------------------------------------------
I believe that in this case нерасшифровываемые means that host names stay encrypted but doesn’t mean that they cannot be decrypted. More context would certainly help.
--------------------------------------------------
Note added at 20 hrs (2018-02-26 17:04:54 GMT)
--------------------------------------------------
Another option:
SSL hosts [whose traffic is] excluded from decryption
The problem is you probably have to fit the translation into a limited space, so I enclosed part of the text in brackets.
Here’s an example:
Exclude domains from inspection of HTTPS traffic
http://help.stonesoft.com/onlinehelp/StoneGate/SMC/6.4.0/GUI...
== BEGIN QUOTE ==
The HTTPS Inspection Exceptions element is a list of domains that are excluded from decryption and inspection.
About this task
HTTPS Inspection Exceptions are used in a custom HTTPS service to define a list of domains for which HTTPS traffic is not decrypted. The custom HTTPS service must be used in a rule, and only traffic that matches the rule is excluded from decryption and inspection. HTTPS Inspection Exceptions are primarily intended for backwards compatibility.
== END QUOTE ==
https://blogs.msdn.microsoft.com/omnia/2012/11/10/how-sni-ch...
== BEGIN QUOTE ==
The only two options to host multiple SSL sites on IIS:
1) Assign different IP addresses to different web sites. In that case you can assign different certificates to the different web sites because IIS can separate the web sites to serve for requests using the requested site’s IP address.
2) Use SAN or Wildcard certificate to host multiple web sites on same IP address and port (e.g.:443) then you need to use SSL Host Headers to separate multiple web sites.
For SAN Certificate we would add multiple host names (Domains) or subdomains like Contoso.com, DagHc1,DagHc1.Contoso.com
<...>
If you are using the same IP address and the same port (e.g.: 443) then when the request arrives to IIS, it cannot understand which site is requested because the requested host name is also encrypted in SSL session. So, IIS first needs to decrypt the request to have the host name, then it can identify the correct web site because it would have the requested host name. In other words, IIS understands which site to be served after decrypting the request with SSL and then is able to send the request to the correct web site. This means that when the request comes to the web server, as IIS do not know which site to serve, IIS cannot verify which SSL certificate to decrypt the request so there is a need to have just one certificate for decryption process with only one IP address and same port.
== END QUOTE ==
Run Multiple Websites On The Same IP Address And Port Even Over SSL - Steve Fenton
https://www.stevefenton.co.uk/2011/06/run-multiple-websites-...
== BEGIN QUOTE ==
Once you have run this for each web site, you should run an IIS Reset and make sure that all of your web sites have started. If you have forgotten one of the steps listed in this article, one of your web sites will refuse to start with a message about not being able to write a file that already exists.
What this process changes is that it allows IIS to decrypt the host-header using the shared certificate before it decides which web site can service the request. With the decrypted host header, IIS can route the request to the correct web site.
== END QUOTE ==
Please beware, it’s mostly a wild guess.
--------------------------------------------------
Note added at 5 hrs (2018-02-26 02:02:47 GMT)
--------------------------------------------------
I believe that in this case нерасшифровываемые means that host names stay encrypted but doesn’t mean that they cannot be decrypted. More context would certainly help.
--------------------------------------------------
Note added at 20 hrs (2018-02-26 17:04:54 GMT)
--------------------------------------------------
Another option:
SSL hosts [whose traffic is] excluded from decryption
The problem is you probably have to fit the translation into a limited space, so I enclosed part of the text in brackets.
Here’s an example:
Exclude domains from inspection of HTTPS traffic
http://help.stonesoft.com/onlinehelp/StoneGate/SMC/6.4.0/GUI...
== BEGIN QUOTE ==
The HTTPS Inspection Exceptions element is a list of domains that are excluded from decryption and inspection.
About this task
HTTPS Inspection Exceptions are used in a custom HTTPS service to define a list of domains for which HTTPS traffic is not decrypted. The custom HTTPS service must be used in a rule, and only traffic that matches the rule is excluded from decryption and inspection. HTTPS Inspection Exceptions are primarily intended for backwards compatibility.
== END QUOTE ==
Note from asker:
Thank you. I agree that these are hosts that remain encrypted (not those that cannot be decrypted); but in this case it should be "non-depcrypted SSL hosts", because "non-decryptable" means that they cannot be decrypted. |
Discussion