Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
1
Replies

SSL decryption handshake

hrdina129
Level 1
Level 1

‎05-10-2017 10:45 AM

Hello,

i was wondering, how NGFW manages inline SSL decryption. I am interested in handshake communication. Does anyone know how it works? When NGFW determines DN, URL to match decryption rules? When NGFW enters the communication and injects its certificate based on URL and based on L3/L4?

This is actually really important, because when i set decryption policy to decrypt all traffic, it works. But when i place before that rule another rule with DN or URL for decrytion bypass, than decrytion breaks on particular pages, like google.com. From system debug, i have many SSL handshake errors and i have no idea why.

Thank you

Best regards

Labels:
0 Helpful
1 Reply 1

Dennis Perto
Level 5
Level 5

‎05-18-2017 12:43 AM

You should read about "certificate pinning".
I figure that this is the problem you are seeing.

Google Chrome knows what the certificate should look like on Google.com.

Dropbox App knows what the certificate should look like in their cloud.

iCloud, Google Play Store, etc. is the same.

These cannot be decrypted.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card