06-01-2016
	
		
		12:27 PM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 - last edited on 
    
	
		
		
		03-25-2019
	
		
		06:16 PM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 by 
		
	
	
	
			
				
		
		
			ciscomoderator
		
		
		
 
		
		
		
		
		
	
			
		
Hello !
We have physical sensors and want to use ssl inspection for users traffic.
When we deploy this function we have (almost on any site) - unknown cipher error.
From SSL workflow we know that cipher suite selected by SERVER HELLO which in our case must be Firepower.
So how can we strictly set which cipher to use on Firepower to negotiate SSL connection and remove this error ?
Thank you!
06-02-2016 06:12 AM
Hi,
Check : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html
Make sure you have the certificate etc in place.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
06-02-2016 09:38 AM
Sure i have it.
Without cert or key you cannot create ssl policy.
We tested several sites and some of them allow ssl inspecton while most of them require not supported cipher suite by firepower.
 
					
				
		
06-06-2016 10:47 PM
Hello Valery,
There are few issues reported with the Cipher errors in past month . Thus could you please contact Cisco TAC so that they can validate it and provide you a solution.
Regards
Jetsy 
06-06-2016 01:13 AM
Folks,
any tips ? Task seems be obvious but no luck with configuration. For example, i can see chrome use CHACHA20_POLY1305 for cipher and firepower can do nothing about this. How to prevent this situation ? How to force use firepower supported ciphers?
06-14-2016 07:12 AM
So guys,
I opened case in TAC and got my answer. Traffic flow as follows:
The client hello passes through to the end server. The end server sends
back the server hello with the chosen cipher suite. Then when the
client sends the premaster secret we intercept that and send the client
our master secret and the server our premaster secret. This is how we
own the key and can decrypt resign the traffic.
That means you can't control negotiated cipher suite. If firepower doesn't support negotiated cipher you can't decrypt it... All you can do - do not decrypt and left users unprotected because large number of sites using cipher suites currently not supported by firepower.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide