Re: FTD SSL Decrypt issue even though cert is imported on all clients

S3C · ‎12-01-2023

Hi,

I have enabled SSL decrypt with using the FTDs own self-signed cert and under settings using "Any" as Trusted CA Certs and "Default Internal Cert" as Decrypt Known-Key Certificates.

All clients has the self-signed cert imported in Trusted Root Authority & personal but it still wont resign or allow traffic to specific sites/urls like travel agencys, windows update, countries own local departments, online meetings, SaaS/B2B etc.

I got rules with resign from any to outside.

My workaround is to add the categorys to a "do not decrypt" rule. However, i dont want to add all kinds of categories to the do not decrypt rule..

Also, if i disable SSL decrypt then everything works so its not another 3rd party software blocking it.

What am i doing wrong?

aspilbea · ‎12-01-2023

"Known-Key" decryption is for services that you own/manage such as decryption of inbound sessions to your internal web servers.
The firewall uses the uploaded private key from the server to decrypt and re-encrypt the session.

"Resign" is for decryption of sessions to services that you do not own such as external websites.
The firewall uses either it's own or an imported CA certificate to decrypt the session and re-sign it with the new CA. The devices must all trust the CA that is being used to re-sign the session.

Details on how the feature works and how to set it up for various scenarios are detailed in the Configuration Guide:
Cisco Secure Firewall Management Center Device Configuration Guide, 7.4 - Traffic Decryption Overview [Cisco Secure Firewall Management Center] - Cisco

There's also some additional information available on the Secure Firewall Essentials Hub here:

SSL Policy (cisco.com)

There are many scenarios where traffic cannot be decrypted for various reasons, what is the exact issue you are running into? What hardware models and software versions are you running in your environment?

MHM Cisco World · ‎12-01-2023

As @aspilbea mentioned

You need action re-sign if you use ssl decrypt for host inside try to access server outside.

Be sure that all client have self signed cert of fpr.

MHM

S3C · ‎12-05-2023

Hello,

thanks for the replies, yes known and resign fundamentals that i understand. But the issue is from inside to outside. Client connecting to ie Windows Update doesnt work (connection error) even though all clients have the self signed cert of FPR and the rule is re-sign

MHM Cisco World · ‎12-05-2023

Are the window use other port or other IP for download ?

MHM

aspilbea · ‎12-05-2023

That is likely down to Certificate Pinning which is implemented on many services these days.

From the second link I posted:

"Many mobile devices and enterprise SaaS cloud applications use mutual authentication or certificate pinning to validate the application server's certificate. Since FTD modifies the server certificate during outbound decryption ( decrypt -- resign ), the client application does not accept the server certificate causing the TLS connection to fail."

TLS decryption shouldn't be deployed to decrypt everything, ideally you would want to decide what to decrypt and create a policy around it.