AZ Asia-Pacific - Zscaler Help Centre
All Categories Zscaler Internet Access Testing SSL Inspection Policy

Testing SSL Inspection Policy

Zscaler do not provide a test page for testing SSL Inspection. But you can still test these settings using 3rd party page such as https://badssl.com. When it comes to TLS version tests, badssl is using different ports other than the standard HTTPS port. For that, you need to make sure that you allowing HTTPS connection on non-standard ports and that your firewall rules will not block that requests.

This means we cannot test the TLS version (Minimum Server TLS version) with Tunnel 1.0 (only ports 80 and 443 will be inspected), as these test are using non-standard ports. So with Tunnel 1.0, you will need either need to connect to Zscaler using IPsec, GRE or Z-Tunnel 2.0 in order for this test to work or find a different page that does not support TLS 1.2 on port 443.

However, you can still test Minimum Client TLS Version with Tunnel 1.0, this can done via Mozilla Firefox.

This is a sample configuration that you can consider to use for this test:

image.png

To force TLS 1.0 you need to open the Mozilla Firefox Browser

  1. In the address bar, type about:config and press Enter

  2. In the Search field, enter tls. Find and double-click the entry for security.tls.version.min

  3. Set the integer value to 1 to force protocol of TLS 1.0

  4. Find and double-click the entry for security.tls.version.max

  5. Set the integer value to 1 to force protocol of TLS 1.0

image.png

Do take note tls 1.1 will be forced when you set value 2, tls 1.2 when set 3 and tls 1.3 when set 4 for both variables.

After the change, you can try to open any page like bbc.com or badssl.com, you should see a block page.

image.png

 

As for testing untrusted server certificates, you make still use of https://badssl.com as shown in the screenshot below:

image.png

image.png