cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
920
Views
0
Helpful
5
Replies

SSL decryption with Firepower Physical sensors

Valery Denisov
Level 1
Level 1

Hello !


We have physical sensors and want to use ssl inspection for users traffic.


When we deploy this function we have (almost on any site) - unknown cipher error.


From SSL workflow we know that cipher suite selected by SERVER HELLO which in our case must be Firepower.

So how can we strictly set which cipher to use on Firepower to negotiate SSL connection and remove this error ?

Thank you!

5 Replies 5

Aastha Bhardwaj
Cisco Employee
Cisco Employee

Hi,

Check : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Make sure you have the certificate etc in place.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Sure i have it.

Without cert or key you cannot create ssl policy.

We tested several sites and some of them allow ssl inspecton while most of them require not supported cipher suite by firepower.

Hello Valery,

There are few issues reported with the Cipher errors in past month . Thus could you please contact Cisco TAC so that they can validate it and provide you a solution.

Regards
Jetsy 

Valery Denisov
Level 1
Level 1

Folks,

any tips ? Task seems be obvious but no luck with configuration. For example, i can see chrome use CHACHA20_POLY1305 for cipher and firepower can do nothing about this. How to prevent this situation ? How to force use firepower supported ciphers?

So guys,

I opened case in TAC and got my answer. Traffic flow as follows:

The client hello passes through to the end server. The end server sends

back the server hello with the chosen cipher suite. Then when the

client sends the premaster secret we intercept that and send the client

our master secret and the server our premaster secret. This is how we

own the key and can decrypt resign the traffic.

That means you can't control negotiated cipher suite. If firepower doesn't support negotiated cipher you can't decrypt it... All you can do - do not decrypt and left users unprotected because large number of sites using cipher suites currently not supported by firepower.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: