We have physical sensors and want to use ssl inspection for users traffic.
When we deploy this function we have (almost on any site) - unknown cipher error.
From SSL workflow we know that cipher suite selected by SERVER HELLO which in our case must be Firepower.
So how can we strictly set which cipher to use on Firepower to negotiate SSL connection and remove this error ?
I opened case in TAC and got my answer. Traffic flow as follows:
The client hello passes through to the end server. The end server sends
back the server hello with the chosen cipher suite. Then when the
client sends the premaster secret we intercept that and send the client
our master secret and the server our premaster secret. This is how we
own the key and can decrypt resign the traffic.
That means you can't control negotiated cipher suite. If firepower doesn't support negotiated cipher you can't decrypt it... All you can do - do not decrypt and left users unprotected because large number of sites using cipher suites currently not supported by firepower.