We have physical sensors and want to use ssl inspection for users traffic.
When we deploy this function we have (almost on any site) - unknown cipher error.
From SSL workflow we know that cipher suite selected by SERVER HELLO which in our case must be Firepower.
So how can we strictly set which cipher to use on Firepower to negotiate SSL connection and remove this error ?
Check : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html
Make sure you have the certificate etc in place.
Rate if that helps!!!
Sure i have it.
Without cert or key you cannot create ssl policy.
We tested several sites and some of them allow ssl inspecton while most of them require not supported cipher suite by firepower.
any tips ? Task seems be obvious but no luck with configuration. For example, i can see chrome use CHACHA20_POLY1305 for cipher and firepower can do nothing about this. How to prevent this situation ? How to force use firepower supported ciphers?
I opened case in TAC and got my answer. Traffic flow as follows:
The client hello passes through to the end server. The end server sends
back the server hello with the chosen cipher suite. Then when the
client sends the premaster secret we intercept that and send the client
our master secret and the server our premaster secret. This is how we
own the key and can decrypt resign the traffic.
That means you can't control negotiated cipher suite. If firepower doesn't support negotiated cipher you can't decrypt it... All you can do - do not decrypt and left users unprotected because large number of sites using cipher suites currently not supported by firepower.