SSL decryption handshake

hrdina129 · ‎05-10-2017

Hello,

i was wondering, how NGFW manages inline SSL decryption. I am interested in handshake communication. Does anyone know how it works? When NGFW determines DN, URL to match decryption rules? When NGFW enters the communication and injects its certificate based on URL and based on L3/L4?

This is actually really important, because when i set decryption policy to decrypt all traffic, it works. But when i place before that rule another rule with DN or URL for decrytion bypass, than decrytion breaks on particular pages, like google.com. From system debug, i have many SSL handshake errors and i have no idea why.

Thank you

Best regards

Dennis Perto · ‎05-18-2017

You should read about "certificate pinning".
I figure that this is the problem you are seeing.

Google Chrome knows what the certificate should look like on Google.com.

Dropbox App knows what the certificate should look like in their cloud.

iCloud, Google Play Store, etc. is the same.

These cannot be decrypted.

SSL decryption handshake

Cisco Umbrella DNS - Intelligent Proxy e SSL Decryption

SSL Decryption On Cisco Secure Firewall at Glance and simplified

Cisco Umbrella Intelligent Proxy and SSL Decryption implementation

FMC Enable SSL Decryption Impact and Creating Key and Certificate

Umbrella: Selective Decryption について