Outdated or non-standard TLS configurations hinder clients’ ability to manage security risks in outbound connections. This work proposes TLSGatekeeper, a network-side system that monitors TLS handshakes in real time without requiring client modifications, dynamically identifying and blocking non-compliant connections according to organizational policies while preserving end-to-end privacy. By integrating real-time traffic analysis, policy-driven compliance validation, and high-performance packet processing, TLSGatekeeper achieves throughput up to 100 Gbps and introduces only 671 ns and 795 ns of average latency for TLS 1.3 and 1.2 handshakes, respectively. The system effectively overcomes the limitations of traditional firewalls in enforcing TLS compliance policies.

Despite the widespread use of Transport Layer Security (TLS), its security guarantees are frequently compromised by outdated versions and misconfigurations. To analyze this problem, we collected more than 50 million TLS handshakes over a two-week period at our research institution, Fondazione Bruno Kessler, and analyzed three server-selected parameters against the recommendations of four TLS guidelines. Our analysis shows that while the use of insecure or outdated options is minimal, it remains persistent. More importantly, servers are adopting the latest TLS advancements much faster than official guidelines can be updated to provide directives for them. These findings, combined with the difficulty of configuring TLS clients due to their ephemeral, ubiquitous and server-dependent nature, leave users vulnerable to non-standard or outright insecure connections. To address this, we present TLSGatekeeper, a real-time, network-based tool that transparently monitors handshakes, analyzes server parameters, and, based on organizational policy, reports non-compliant connections without requiring client-side modifications. Unlike Next-Generation Firewalls, TLSGatekeeper preserves end-to-end privacy by validating only handshakes, and offers greater flexibility in defining undesired configurations. Our evaluation shows that TLSGatekeeper sustains traffic rates of up to 100 Gbps while preventing insecure connections, with an average added processing delay of 671 ns (TLS 1.3) and 795 ns (TLS 1.2) per handshake packet, making enforcement feasible at scale.