topic Re: SSL Decryption on FTD appliances not working in Network Security

SSL Decryption on FTD appliances not working

ryan14 — Fri, 07 Aug 2020 18:39:57 GMT

My SSL decryption policy is working but the FTDs are experiencing issues trying to decrypt sites that appear to be protected by cloudflare. For example, if I go to yahoo.com, I can see the certificate in my browser was intercepted by the FTD and the FTD is decrypt-resigning the traffic (via event viewer). However if I go to pcpartpicker.com, and look at the certificate, I can see that the FTD did not decrypt-resign as expected. When looking at the certificate via my browser it says issued by CloudFlare Inc (not my FTD). Another thing to note is that my connection in the browser shows a quick reset before actually loading the page. Does anyone else experience this behavior? I tested this across multiple FTDs 5508-X and FP2110 running 6.4.x and 6.6.0.1. Same behavior. Even with multiple browsers.

Re: SSL Decryption on FTD appliances not working

Marvin Rhoads — Fri, 07 Aug 2020 18:47:07 GMT

Could it be the problem connections are using quic (udp/443) and not classic https (tcp/443)?

Re: SSL Decryption on FTD appliances not working

ryan14 — Fri, 07 Aug 2020 20:28:19 GMT

The connection event shows tcp/443. What is interesting is ssl status is 'Do Not Decrypt (Uncached Session)'. Not sure what that means.

Re: SSL Decryption on FTD appliances not working

JohnDenver2135 — Tue, 08 Dec 2020 15:22:46 GMT

I have this same exact issue, did you ever figure out a fix? We do not allow 443 UDP by default however as you mention the traffic in the connection events is showing 443TCP and a status of 'Do Not Decrypt (Uncached Session)'.

Re: SSL Decryption on FTD appliances not working

ryan14 — Tue, 08 Dec 2020 16:28:18 GMT

I upgraded to 6.6.1, ran into bug CSCvs99356.

Upgraded to 6.7 and hit a new issue where I get NET::ERR_CERT_AUTHORITY_INVALID when loading a new webpage. If I hit refresh or F5, the page then does load correctly, without any certificate error. Sites protected by cloudfare seem to now be decrypted by FTD, before in 6.4 they were not. I have pending TAC case for this new issue. I cannot reproduce this new issue in 6.4 or 6.6.1 across multiple sites with computers on the same domain and use the same SSL policy. Issuing a new certificate for decrypt policy has the same issue. I would be curious to know if someone else has this issue which I have opened a new thread on.

Re: SSL Decryption on FTD appliances not working

jonathankarras — Wed, 17 Mar 2021 19:39:08 GMT

This seems to be fixed in 6.6.3 now. I was seeing similar issues in 6.6.1. Hoping to upgrade soon.

Re: SSL Decryption on FTD appliances not working

ryan14 — Wed, 17 Mar 2021 21:25:53 GMT

Sigh, hopefully next release of 6.7 is out soon for this fix.

Re: SSL Decryption on FTD appliances not working

ryan14 — Thu, 22 Jul 2021 13:10:08 GMT

In case anyone is wondering, this magically started to work when upgrading to version 7, with no changes on our end.