Imperva Cyber Community

Hi Folks,

I have a question about the SSL handshake being established between Imperva and the backend. Assume the client to Imperva side is configured properly.

If the backend has a self signed certificate does Imperva try to validate its authenticity automatically as soon as the site is onboarded to Imperva. Does this process of authentication cause problems for the administrator when Imperva does not trust the backend server certificate?

If so, to overcome this problem is there a way to disable the SSL certificate validity check and tell the CWAF to accept any SSL cert provided by the backend without considering if it can be trusted or untrusted. 

Or to put it simply can the CWAF work with self signed certificates or should there always be trusted certificates for the backend to work properly?

#CloudWAF(formerlyIncapsula)

------------------------------
Sasith Senanayake
Associate Network and Security Engineer
Connex Information Technologies (Pvt) Ltd.
Colombo
------------------------------

Hi Sasith,

By default, the proxy doesn't check whether the Origin Server certificate is expired or if it contains an incorrect CN. Therefore, CWAF can work with self signed certificates without any issues. You can work with Imperva Support to change this behavior an enforce certificate validation if needed. This will include the following checks:

1. Origin Certificate is self-signed;
2. Origin Certificate is expired;
3. Origin Certificate contains mismatched CN.

Let me know if you have any further questions. 

------------------------------
Bartosz Chmielewski
SE
Imperva
------------------------------

Original Message:
Sent: 07-16-2023 12:14
From: Sasith Senanayake
Subject: Can we turn of SSL certificate trust validation between Imperva and the backend

Hi Folks,

I have a question about the SSL handshake being established between Imperva and the backend. Assume the client to Imperva side is configured properly.

If the backend has a self signed certificate does Imperva try to validate its authenticity automatically as soon as the site is onboarded to Imperva. Does this process of authentication cause problems for the administrator when Imperva does not trust the backend server certificate?

If so, to overcome this problem is there a way to disable the SSL certificate validity check and tell the CWAF to accept any SSL cert provided by the backend without considering if it can be trusted or untrusted. 

Or to put it simply can the CWAF work with self signed certificates or should there always be trusted certificates for the backend to work properly?

#CloudWAF(formerlyIncapsula)

------------------------------
Sasith Senanayake
Associate Network and Security Engineer
Connex Information Technologies (Pvt) Ltd.
Colombo
------------------------------