Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1747
Views
0
Helpful
2
Replies

SSL Policy error "CLIENT_CERT_NOT_SUPPORTED (0xb000346b)"

AndresCornetOliva
Level 1
Level 1

‎04-28-2020 05:49 AM

I'm having a problem with a SSL Policy, which I use to analyze SMTPS traffic with a Firepower sensor managed by FMC. I have my own mail server inside my LAN, so I want to analyze incoming SMTPS traffic with the Decrypt (Known Key) method, as I own the private key.

 

I have successfully configured and deployed the policy, and I'm actually being able to decrypt and analyze mail traffic in search of malware (which is the main purpose of this). The problem is that I'm also blocking a lot, perhaps most, of connections. 

 

When I check the Table View of Connection Events, I can see the Reason is SSL Block. In the SSL Flow Error column it says "CLIENT_CERT_NOT_SUPPORTED (0xb000346b)", and in SSL Flow Flags it says it's undecryptable.

 

Unfortunately, in the policy configuration I can't allow the undecryptable traffic. I can either block or block with reset. The only way to solve this issue by the moment was to create a Do Not Decrypt rule specifying the Initiator IP addresses. Interesting fact, for the certain IP addresses, sometimes it blocks and sometimes it decrypts successfuly. 

 

Can anyone give a hand with this? Thank you.

1 person had this problem
0 Helpful
2 Replies 2

superadmin9
Level 1
Level 1

‎04-29-2020 05:09 PM

You probably already know this, but for SSL decrypt to work, the internal client needs the cert on their machine. Is it possible that the machines that are doing decrypt have the cert and those that are not, don’t have the cert?
I have a decrypt policy for 443 traffic deployed and haven’t seen any issues, and the only extra thing I did during setup was make sure my clients had my internal cert.
0 Helpful

AndresCornetOliva
Level 1
Level 1
In response to superadmin9

‎05-05-2020 08:22 AM

Hi, thanks for the answer. Apparently it would be a problem of TLS handshake. The server is trying to perform something called client-authenticated TLS, wich wouldn't be supported by the FMC. I'm still searching in order to confirm it, but it's the most likely explanation.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card