https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860102#M1030600 <P>So guys,</P> <P></P> <P>I opened case in TAC and got my answer. Traffic flow as follows:</P> <P></P> <P>The client hello passes through to the end server. The end server sends</P> <P>back the server hello with the chosen cipher suite. Then when the</P> <P>client sends the premaster secret we intercept that and send the client</P> <P>our master secret and the server our premaster secret. This is how we</P> <P>own the key and can decrypt resign the traffic.</P> <P></P> <P>That means you can't control negotiated cipher suite. If firepower doesn't support negotiated cipher you can't decrypt it... All you can do - do not decrypt and left users unprotected because large number of sites using cipher suites currently not supported by firepower.</P> Tue, 14 Jun 2016 14:12:19 GMT Valery Denisov 2016-06-14T14:12:19Z https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860097#M1030595 <P>Hello&nbsp;!</P> <P><BR />We have physical sensors&nbsp;and want to use ssl inspection for users traffic.</P> <P><BR />When we deploy this function we have (almost on any site) - unknown cipher error.</P> <P><BR />From SSL workflow we know that cipher suite selected by SERVER HELLO which in our case must be Firepower.</P> <P>So how can we strictly set which cipher to use on Firepower to negotiate SSL connection and remove this error ?</P> <P></P> <P>Thank you!</P> Tue, 26 Mar 2019 01:16:22 GMT https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860097#M1030595 Valery Denisov 2019-03-26T01:16:22Z https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860098#M1030596 <P>Hi,</P> <P></P> <P>Check : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html</P> <P></P> <P>Make sure you have the certificate etc in place.</P> <P></P> <P>Regards,</P> <P>Aastha Bhardwaj</P> <P>Rate if that helps!!!</P> Thu, 02 Jun 2016 13:12:17 GMT https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860098#M1030596 Aastha Bhardwaj 2016-06-02T13:12:17Z https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860099#M1030597 <P>Sure i have it.</P> <P></P> <P>Without cert or key you cannot create ssl policy.</P> <P></P> <P>We tested several sites and some of them allow ssl inspecton while most of them require not supported cipher suite by firepower.</P> Thu, 02 Jun 2016 16:38:21 GMT https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860099#M1030597 Valery Denisov 2016-06-02T16:38:21Z https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860100#M1030598 <P>Folks,</P> <P></P> <P>any tips ? Task seems be obvious but no luck with configuration. For example, i can see chrome use&nbsp;<SPAN>CHACHA20_POLY1305 for cipher and firepower can do nothing about this. How to prevent this situation ? How to force use firepower supported ciphers?</SPAN></P> Mon, 06 Jun 2016 08:13:38 GMT https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860100#M1030598 Valery Denisov 2016-06-06T08:13:38Z https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860101#M1030599 <P>Hello Valery,</P> <P>There are few issues reported with the Cipher errors in past month . Thus could you please contact Cisco TAC so that they can validate it and provide you a solution.</P> <P>Regards<BR />Jetsy&nbsp;</P> <P></P> Tue, 07 Jun 2016 05:47:17 GMT https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860101#M1030599 Jetsy Mathew 2016-06-07T05:47:17Z https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860102#M1030600 <P>So guys,</P> <P></P> <P>I opened case in TAC and got my answer. Traffic flow as follows:</P> <P></P> <P>The client hello passes through to the end server. The end server sends</P> <P>back the server hello with the chosen cipher suite. Then when the</P> <P>client sends the premaster secret we intercept that and send the client</P> <P>our master secret and the server our premaster secret. This is how we</P> <P>own the key and can decrypt resign the traffic.</P> <P></P> <P>That means you can't control negotiated cipher suite. If firepower doesn't support negotiated cipher you can't decrypt it... All you can do - do not decrypt and left users unprotected because large number of sites using cipher suites currently not supported by firepower.</P> Tue, 14 Jun 2016 14:12:19 GMT https://community.cisco.com/t5/network-security/ssl-decryption-with-firepower-physical-sensors/m-p/2860102#M1030600 Valery Denisov 2016-06-14T14:12:19Z