Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1159
Views
0
Helpful
5
Replies

SSL decryption with Firepower Physical sensors

Valery Denisov
Level 1
Level 1

‎06-01-2016 12:27 PM - last edited on ‎03-25-2019 06:16 PM by Community Manager

Hello !


We have physical sensors and want to use ssl inspection for users traffic.


When we deploy this function we have (almost on any site) - unknown cipher error.


From SSL workflow we know that cipher suite selected by SERVER HELLO which in our case must be Firepower.

So how can we strictly set which cipher to use on Firepower to negotiate SSL connection and remove this error ?

Thank you!

Labels:
0 Helpful
5 Replies 5

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎06-02-2016 06:12 AM

Hi,

Check : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Make sure you have the certificate etc in place.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

0 Helpful

Valery Denisov
Level 1
Level 1
In response to Aastha Bhardwaj

‎06-02-2016 09:38 AM

Sure i have it.

Without cert or key you cannot create ssl policy.

We tested several sites and some of them allow ssl inspecton while most of them require not supported cipher suite by firepower.

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to Valery Denisov

‎06-06-2016 10:47 PM

Hello Valery,

There are few issues reported with the Cipher errors in past month . Thus could you please contact Cisco TAC so that they can validate it and provide you a solution.

Regards
Jetsy 

0 Helpful

Valery Denisov
Level 1
Level 1

‎06-06-2016 01:13 AM

Folks,

any tips ? Task seems be obvious but no luck with configuration. For example, i can see chrome use CHACHA20_POLY1305 for cipher and firepower can do nothing about this. How to prevent this situation ? How to force use firepower supported ciphers?

0 Helpful

Valery Denisov
Level 1
Level 1
In response to Valery Denisov

‎06-14-2016 07:12 AM

So guys,

I opened case in TAC and got my answer. Traffic flow as follows:

The client hello passes through to the end server. The end server sends

back the server hello with the chosen cipher suite. Then when the

client sends the premaster secret we intercept that and send the client

our master secret and the server our premaster secret. This is how we

own the key and can decrypt resign the traffic.

That means you can't control negotiated cipher suite. If firepower doesn't support negotiated cipher you can't decrypt it... All you can do - do not decrypt and left users unprotected because large number of sites using cipher suites currently not supported by firepower.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card