Proxies that do not intercept secure TLS connections, can be used without issues. This may include HTTP proxies that support the CONNECT method. The Fortanix Self-Defending KMS architecture ensures that sensitive information is always encrypted in transit (using TLS), and on the server-side, while stored and in use (using Fortanix Runtime Encryption® technology).
A proxy that does intercept secure TLS connections and decrypts the TLS traffic in transit would potentially expose key material and sensitive plaintext. Therefore, proxies should not be configured to intercept TLS connections with a Certification Authority that is trusted by the client.
Configuring such unsupported Proxies with Fortanix Self-Defending KMS results in the following limitations:
- Sensitive data may be leaked:
- Data, such as the input to encrypt, sign and verify operations, and the output to decrypt operations.
- Imported and exported key material.
- No support from Fortanix:
- The Fortanix Quality Assurance team does not test software releases with TLS-intercepting proxy configuration, including releases providing urgent security updates.
- The Fortanix Customer Success team cannot help in designing or configuring a system that includes a TLS-intercepting proxy.
- The current or future functionality of Fortanix Self-Defending KMS may be degraded or non-functional, including but not limited to:
- Audit logs will show an incorrect source IP address.
- Apps cannot use certificate-based authentication (mutual TLS), including KMIP.