cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
151
Views
0
Helpful
0
Replies

FTD Decryption Policy - documentation confusion

tvotna
Enthusiast
Enthusiast

Hi team,

I became totally confused after reading the TLS/SSL Decrypt-Resign Guidelines section (https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/decryption-rules.html#id_103845). I don't understand what practical implications below note can have... I believe browsers suggest all possible signature hash algorithms in the signature_algorithms extension and also it is allowed to [re]-sign a DSA public key from server certificate with RSA secret key of FTD CA (or vice versa) (https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2 ). So any FTD CA certificate should do, whether it is RSA or ECDSA and I don't understand what can go wrong.

From documentation:

If you configure a rule with the Decrypt - Resign action, the rule matches traffic based on the referenced internal CA certificate’s signature algorithm type, in addition to any configured rule conditions. Because you associate one CA certificate with a Decrypt - Resign action, you cannot create a decryption rule that decrypts multiple types of outgoing traffic encrypted with different signature algorithms. In addition, any external certificate objects and cipher suites you add to the rule must match the associated CA certificate encryption algorithm type.

For example, outgoing traffic encrypted with an elliptic curve (EC) algorithm matches a Decrypt - Resign rule only if the action references an EC-based CA certificate; you must add EC-based external certificates and cipher suites to the rule to create certificate and cipher suite rule conditions.

Similarly, a Decrypt - Resign rule that references an RSA-based CA certificate matches only outgoing traffic encrypted with an RSA algorithm; outgoing traffic encrypted with an EC algorithm does not match the rule, even if all other configured rule conditions match.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: