topic Re: FTD decryption TLS 1.3 - Flushing certificates in cache in Network Security

FTD decryption TLS 1.3 - Flushing certificates in cache

cpaquet — Wed, 24 Jul 2024 11:59:55 GMT

On FTD, with TLS decryption enabled, "the managed device caches server certificate data, which allows faster handshake processing in subsequent sessions that use the same certificate" (https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/encrypted-traffic-overview.html)

"A cached TLS server's certificate is available to all Snort instances on a particular threat defense. The cache can be cleared with a CLI command and is automatically cleared when the device is rebooted." (https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/decryption-policies.html)

However, the doc doesn't mention which command to use to flush the certificates accumulated in cache by the FTD SSL decryption process.

Would it be: clear crypto ca trustpool or crypto ca trustpool remove ?

Thanks.

Re: FTD decryption TLS 1.3 - Flushing certificates in cache

Sheraz.Salim — Wed, 24 Jul 2024 13:57:11 GMT

Regarding the SSL/TLS server certificate cache on Firepower Threat Defense (FTD) devices with TLS decryption enabled. You're correct that the documentation mentions the ability to clear this cache but doesn't specify the exact command to do so. Based on the current documentation and available FTD commands, there isn't a straightforward, documented method to manually clear this cache. The commands you mentioned (clear crypto ca trustpool and crypto ca trustpool remove) are related to the certificate trustpool and not to this specific SSL decryption cache. Given this situation, here are the current options and recommendations:

Automatic clearing: As mentioned in the documentation, the cache is automatically cleared when the device is rebooted. This is the only confirmed method of clearing the cache.
Policy redeployment: While not guaranteed, redeploying the SSL policy from Firepower Management Center (FMC) might potentially refresh the certificate cache.
Natural expiration: The cache likely has some form of expiration or rotation mechanism, though details on this are not provided in the public documentation.

Re: FTD decryption TLS 1.3 - Flushing certificates in cache

cpaquet — Wed, 24 Jul 2024 19:31:56 GMT

Thanks Sheraz for your thorough answer.

Anyone knows how to get Cisco (the firewall Business Unit I guess) amend the FTD documentation by either adding the command (if such command exists) or by removing the phrase in the doc that says that a command exist for flushing certs acquired during SSL decryption?

Re: FTD decryption TLS 1.3 - Flushing certificates in cache

Sheraz.Salim — Wed, 24 Jul 2024 20:28:26 GMT

Your best course of action is to either open a Cisco TAC case or contact your Cisco account manager. I know this is not helpful but thats the only way to get their attention on this matter.

Re: FTD decryption TLS 1.3 - Flushing certificates in cache

MHM Cisco World — Sun, 28 Jul 2024 13:52:17 GMT

you can see some info about SSL policy
in FTD >
run this command
ftd > system support ssl-? <<- this will give you alot option to see SSL statistic

MHM

Re: FTD decryption TLS 1.3 - Flushing certificates in cache

bcoverstone — Tue, 06 Aug 2024 19:36:30 GMT

> system support ssl-cache-clear all