Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mattias_Jansson
Contributor

CN/SNI cache

Jump to solution

Hi!

The  sk sk163594  - What's new in HTTPS Inspection starting from R80.20  says:

At the start of the TLS handshaking process, the client sending the TLS Client Hello indicates the hostname it is attempting to connect to by providing the server hostname as the content of the SNI field. The Security Gateway matches this hostname against the Subject Alternative Names found in the certificate presented as content of the certificate presented by the responding host in the TLS Server Hello.
"The Security Gateway keeps a cache about the result of this verification process in order to save CPU cycles, traffic, and connection initialization latency if subsequent TLS connections are requested to the same destination site."

Anyone that know how long these records stays in the cache, and if it configurable?

Best regards
/Mattias

0 Kudos
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

From the research I've done, if you look at fw tab -t cptls_host_name_cache, it should show you how long these entries last.
See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

1 Reply
PhoneBoy
Admin
Admin

From the research I've done, if you look at fw tab -t cptls_host_name_cache, it should show you how long these entries last.
See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post