cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2698
Views
0
Helpful
2
Replies

Please explain the “TLS 1.3 Server Identity Discovery” feature?

SIMMN
Spotlight
Spotlight

As the title suggests, can someone please explain the “TLS 1.3 Server Identity Discovery” feature from true technical perspective? How does it work and how would it impact encrypted traffic?

I thought I know what the feature does but I have got burned by it twice in last couple of months…neither case, TAC could explain why…

Case 1, I turned on this feature, aka “Early application detection and URL categorization” on a FTD running as transparent mode with v7.2 firmware. Once deployment is done, all user SSL/TLs traffic got dropped…no blocking events captured though…the fix was to turn the feature off.

Case 2, I turned on this feature on a FTD running in routed mode with v7.0 firmware. It did not drop user SSL/TLS traffic but it impacted a multi-tier application where inter-tier traffic is traversing through FTD…again silence drop/impact with no events showing…again the fix is to disable the feature in ACP…

In either cases, there were ACP rules matching URL categories but not rules for match APP categories….My thought/understanding of the feature was/is the FTD would probe the server cert for TLS 1.3 traffic to determine the App generating this traffic without the needs to decrypt the traffic. It should not in any circumstances to filter/drop TLS traffic, even if FTD can not determine the App…so am I wrong?

It is supposed to be a simple and useful security feature but…please someone knows more to explain.

 

2 Replies 2

Octavian Szolga
Level 4
Level 4

https://www.youtube.com/watch?v=pgjZvgUkcCQ

Later edit: sorry, now I saw your scenarios.
The 1st thing that came to my mind is how does it probe the destination server in transparent mode..

The 2nd thing - do you have an SSL policy in place for your traffic?

Maybe you're hitting a bug?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd80741

My notes:

No SSL Policy present:
- If no SNI is present, the connection is not matched for TLS 1.3 (server certificate is encrypted)
- If SNI is present, the URL filtering matches based on client SNI option (may be spoofed)
- If SNI is present and early app detection enabled, FTD creates a sidecar connection to same server and checks server cert fields; connection is allowed based on server cert; if SNI does not matches server cert, connection is blocked;

BR,

Octavian

Thanks for the info, especially the bug. I think my 2nd case is that bug…but again why this feature even drops packets while the name suggests detection!!

Review Cisco Networking for a $25 gift card