Constellix is committed to offering innovative products and services that allow you to meet compliance and security demands without sacrificing advanced functionality. Our SSL Certificate policy enforces industry best practices over HTTPS monitoring in Sonar.
SSL policies allow you to control the features of SSL that Sonar uses to negotiate with external clients. In this document, the term SSL refers to both the SSL and TLS protocols.
SSL policies are supported with:
- Sonar Performance Monitoring
Note: SSL policies are not supported with internal HTTP(S) products and services.
Defining SSL Policies in Constellix
SSL certificates play a major role in end-user privacy and are critical to your domain’s security and brand reputation. Our recommended policy is “Modern.” From here on out, any new Sonar check added in Constellix will be set to Modern by default. For a different policy, you will need to change it manually.
In Constellix, we offer several SSL check modes in Sonar:
This option is most restrictive and is intended for clients with strict compliance requirements, such as banks and payment processing companies. Choosing “Restricted” will require clients to use TLS 1.2, regardless of your chosen minimum TLS version.
- Modern (recommended)
Modern is our recommended setting. It is a well-rounded option that supports a broad range of SSL features, reduces false positives, and follows industry best practices.
This option will ensure high SSL compatibility, however, it will fail PCI compliance, security checks, and third-party reviews because it supports outdated encryption.
- Ignore (not recommended)
The option is the least restrictive and also the least recommended version as it is not secure and supports invalid certs, out-of-date TLS, self-signed certificates, and other antiquated SSL features. Ignore will also cause visitors to receive “back to safety” warnings when trying to access your domain.
To view or edit your current Sonar policies, log in to the Sonar dashboard.
SSL Policy Features
The following table lists the available SSL policy features for each pre-configured profile. All of the features control whether particular cipher suites can be used, and apply only to client connections that use TLS version 1.2 or earlier, not to clients that use QUIC.