Brksec 3667

BRKSEC-3667
Advanced Firepower SSL

policy troubleshooting
James Everett
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKSEC-3667
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Brief overview of SSL

• Reading SSL packet captures
• SSL Policy best practices
• Troubleshooting SSL in Firepower from GUI
• Troubleshooting SSL in Firepower from CLI
• Case Study
This presentation will not cover
Entries with * will have a reference in the appendix
• HTTPS server workings
• Firepower Device Management (6.2.3)
• *Creating SSL policy
• In-depth Pcap investigation
• Non-http methods of SSL
• VPN
BRKSEC-3667 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Your Presenter
James Everett
• Tech Lead for Firepower TAC
• 4+ Years of experience
• Working with SSL firepower since 5.4.0
Typical Deployment
• Non-FTD appliances
• Series 3 (7000 and 8000 series)
• ASA with Firepower Services
• Firepower Threat Defense
• Reference
• Firepower Sensor
Reference Page Example
TAC Case open template: Page 1
• For questions about SSL errors or unexpected actions to speed up the TAC
case please open with the following:
• CSV report output of Connection Events matching this traffic*
• Please see Gather report of connection events
• Packet capture
• Client
• Sensor
• Server side
• Explanation of the applications and errors seen
• Include any recent changes you are aware of
• Troubleshoot from the sensor
Using SSL on the web
HTTPS on the web
• HTTP inside SSL tunnel
• HTTPS starts as asymmetric encryption
• Public Key Infrastructure
Cisco.com
Public Key Infrastructure
Security of the unknown Cisco.com
CERT
CERT
Cisco.com
CERT
Building trust CERT
Trusted Certificates
CERT
CERT
CERT
CERT
Cisco.com
CERT
Malicious Certificates
CERT
CERT
CERT
CERT
Cisco.com
CERT
Company Certificate Authority
Man in the middle on employees
CERT
CERT
CERT
CERT
CERT Cisco.com CERT
Cisco.com
CERT CERT
Company Certificate Authority
Man in the middle on guests
CERT
CERT
CERT
CERT Cisco.com CERT
Cisco.com
CERT CERT
Stolen private key
CERT CERT CERT Cisco.com
CERT CERT CERT
Reading SSL pcaps
Standard SSL handshake for HTTPS
Abbreviated SSL handshake
Application Data
Full handshake
Other common handshakes
• Client Certificate request
• Session Reuse
• Client Hello Modification required
• Certificate Pinning
• Phone applications
Pcap investigation Client Hello
• Identify Handshake
• Session ID
Pcap investigation Client Hello continued
• Session ID
• Server Name
• Known problems
• Potential problems
Pcap investigation: Server Hello
• Identify Handshake
• Version
• Server Name
Pcap investigation: Certificate
• Length
• Issuer
SSL Decryption
fails
SSL Decryption
sucessful
SSL policy best practices
Typical deployment: Decrypt Resign
Typical deployment: Decrypt Known-key
Required before you begin
Best Practices
• Internal root Certificate Authority (CA)
• Import all CAs in Trusted CA*
Typical basic policy
Decrypt Resign
Decrypt Known Key
Decrypt Combo
Good practice policy
Aware of government laws
Good practice policy
For general purposes
Good practice
Notice
What to expect
• Currently an ~80% performance hit
• May required webserver
modifications
• Perfect Forward Secrecy (ECDHE)
does not work in Decrypt Known-key
• Client Hello Modifications do not work
in Decrypt Known-key
Troubleshooting SSL policy
Agenda
• Map out the scope

Before we begin
SSL policy is like opening a new door in your network
First stop and ask
ICMP HTTP
HTTPS
DNS Domains
First stop and ask
Before After Hours After
SSL Policy
First stop and ask
Troubleshooting SSL Policy (Under the
hood)
Client Hello Modification (6.1.0+)
After
Before
Troubleshooting SSL policy (GUI)
Agenda

• Identify the problem
Find the connection event
Easy Search
Find the connection event
Interpreting the connection events
• Enable the column

• Success
• Error
Interpreting the connection events
Field Break Down
• Decrypt (Resign)
• Valid
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• Decrypt (Resign)
• VALID, INITIALIZED, SSL_DETECTED, CERTIFICATE_DECODED,
• CLIENT_HELLO, SERVER_HELLO, SERVER_CERTIFICATE
• Testing Live
• Decrypt All
• 0xd12692f1a881b86b3663ac784ce7ebd04614a0f5736c07913c3cddd9af1
• 0x0
• TLSv1.2
Interpreting the connection event
Certificate deep dive
Check the SSL policy
Browsers often hold valuable information
HTTP Strict Transport Security (HSTS)
• Automatically re-directs HTTP to HTTPS
• Prevents users from being MITM and accepting a bad certificate
Clear Browser Cache
Install the certificate
Install the Certificate
Large scale deployments
• Microsoft Active Directory
• Download link on internal page
Case study #2 notes

Agenda

• Gather data
Gather the pieces
• Connection Events
• SSL Policy
• Browser error
• PCAP
• SSL Debug
Troubleshooting SSL policy (CLI)
Pcaps
Color guide
SHELL
>Commands for adding or starting debugging
>Commands to reset, to be run at the end
Packet capture on Firepower Threat Defense (firepower)
SHELL
>capture-traffic
Please chose domain to capture traffic from:

0 – br1
1 – Router
Selection? 1
Please specify tcpdump options desired.

(or enter ‘?’ for a list of supported options)
Options: -w debug.pcap
^C Ctrl+C to end
Caught interrupt signal
Exiting.
Packet capture on Firepower Threat Defense (Lina)
SHELL
>capture capin interface Inside match tcp host 192.168.10.10 any eq 443
>show capture
capture capin type raw-data interface Inside [Capturing - 0 bytes]
match tcp host 192.168.10.10 any eq https
>
>
>copy /pcap capture:capin disk0:
Source capture name [capin]?
Destination filename [capin]?

!!!!!!!!!!
353 packets copied in 0.40 secs
>
>no capture capin
Packet capture on SFR module
SHELL
>system support capture-traffic

0 – eth0
1 – cplane
2 – Single Context
Selection? 2

Options:
^C Ctrl+C to end
Exiting.
Packet capture on Legacy Firepower
SHELL
>system support capture-traffic

0 – eth0
1 – Inline Set (s1p1 < > s1p2)
Selection? 1
Options:
^C Ctrl+C to end
Exiting.
Typical TAC options
SHELL
>capture-traffic

0 – br1
1 – Router
Selection? 1

Options: -w ssl.pcap -s 0 host <ip address> and port 443
Some common tcpdump options
• -w <filename> writes to file in /ngfw/var/common

• SFR in /var/common
• -s 0 sets the snaplength to interface maximum mtu
• -c <# of packets>
• host <ip address>
• port <port>
• and <port/host>
Packet capture location on SFR module
SHELL
>expert
admin@sfr:~$ls -lah /var/common
total 424K
drwx------ 5 root root 4.0K Dec 4 17:19 .
drwxr-xr-x 21 root root 4.0K Dec 1 21:31 ..
-rw-r--r-- 1 root root 400K Dec 4 23:55 sfr.pcap
admin@sfr:~$
Packet capture location on Firepower Threat Defense
SHELL
>expert
admin@2110:~$ls -lah /ngfw/var/common
total 424K
-rw-r--r-- 1 root root 400K Dec 4 23:55 ssl.pcap
admin@2110:~$
admin@2110:~$echo ‘**For Lina pcaps**’
**For Lina pcaps**
admin@2110:~# ls /mnt/disk0/
boot capin coredumpinfo csco_config log
Retrieve pcap file (Before 6.2.0)
SHELL
>expert
admin@sfr:~$ls -lah /var/common
total 424K
admin@sfr:~$sudo scp /var/common/sfr.pcap <username>@<FMC IP>:/var/tmp
Password:
Warning: Permanently added '192.168.10.49' (ECDSA) to the list of known hosts.
Password:
sfr.pcap 100% 2544 2.5KB/s 00:00
Retrieve pcap file (Before 6.2.0)
SHELL
>expert
admin@sfr:~$ls -lah /ngfw/var/common
total 424K
admin@sfr:~$sudo scp /ngfw/var/common/sfr.pcap <username>@<FMC IP>:/var/tmp
Password:
Warning: Permanently added '192.168.10.49' (ECDSA) to the list of known hosts.
Password:
sfr.pcap 100% 2544 2.5KB/s 00:00
Retrieve pcap 6.2.0+
SSL debugs on Firepower
SHELL
>system support ssl-debug debug_policy_all
Parameter debug_policy_all successfully added to configuration file.
Configuration file contents:
debug_policy_all
You must restart snort before this change will take affect
This can be done via the CLI command
‘pmtool restartbytype DetectionEngine’.
>pmtool restartbytype DetectionEngine
----Snort will restart
> system support ssl-debug-reset
Are you certain that you wish to delete the current SSL debug configuration file? (y/n)
[n]: y
Configuration file successfully deleted.
'pmtool restartbytype DetectionEngine'.
>pmtool restartbytype DetectionEngine
SHELL
>expert
#admin@2110:~$ls -lah /ngfw/var/common
-rw-rw-rw- 1 root root 625 Dec 18 20:38 ssl_debug_26386
#admin@2110:~$grep -i <domain> ssl_debug*

ssl_debug_14551: cert summary: CN=cisco.com
#admin@2110:~$less ssl_debug_26386
Snort PID
SHELL
>expert
#admin@2110:~$ls -lah /var/common
-rw-rw-rw- 1 root root 625 Dec 18 20:38 ssl_debug_26386
#admin@2110:~$grep -i <domain> ssl_debug*

ssl_debug_14551: cert summary: CN=cisco.com
#admin@2110:~$less ssl_debug_26386
Snort PID
SSL debug example of full text
SHELL
2017-12-17 23:24:12.675 store_server_name:413 In store_server_name, flowid=0x80000019, flow_context=0x108421a0, server name: len=17, www.ciscolive.com,
_server_name_hash && name && (fid.id32 != 0)=1
2017-12-17 23:24:12.675 NSE_FRAME__SSL_DETECTED -- found SSL CH (Client Hello), flowid=0x80000019, flags=0x112
2017-12-17 23:24:12.700 ssl_policy_decision:2881 In ssl_policy_decision, session_id_len=32, session_tkt_len=0.
2017-12-17 23:24:12.701 ssl_policy_decision:3093 (M) Rule 9 did not match src endpoint. Looking for: 192.168.30.74
2017-12-17 23:24:12.702 ssl_policy_decision:3102 (M) Rule 2 did not match dst endpoint. Looking for: 72.4.119.2
2017-12-17 23:24:12.711 match_application:1325 In match_application. Actual Action: 6 - Decrypt and resign.
2017-12-17 23:24:12.712 ssl_policy_decision:3305 (M) Rule 4 -- did not match URL category Expected Action: 6 - Decrypt and resign.
.2017-12-17 23:24:12.712 match_application:1325 In match_application. SSL Flow Status: 2 - success - SSL Rule successfully applied.
2017-12-17 23:24:12.712 ssl_policy_decision:3318 (M) Rule 1 matched. SSL Flow Error: 0x00000000 - NSLIB:Logging [0x00000000;code:0;sub:0]
2017-12-17 23:24:12.712 set_verdict:2553 set_verdict: rule->action: 1, passive mode=0 Success;
2017-12-17 23:24:12.713 Verdict callback. SSL Flow Messages: 0x00000038 -
Logstr: ssl_policy_decision: Found matching rule. CLIENT_HELLO,SERVER_HELLO,SERVER_CERTIFICATE
Process ID: 2407 SSL Flow Flags: 0x000000000480c1c3 -
Flow context: 0x108421a0 VALID,INITIALIZED,SSL_DETECTED,CERTIFICATE_DECODED,FULL_HANDSHAK
Flow info: 0x7fffc4934e10 E,SERVER_SESSION_ID_SEEN,CLIENT_HELLO_SESSTKT,CH_PROCESSED,SH
flowid: 0x80000019 _PROCESSED
error: 0x00000000 SSL Session ID:
cipher_suite: 53 - TLS_RSA_WITH_AES_256_CBC_SHA 6ac02c9b3f8521fe5289debfa7cdc8863633d66ee02ad9cc061593e9765d1897
ssl_version: TLS1.2 SSL Session Ticket:
server_cert_h: 1
cert summary: CN=ciscolive.com;O=Cisco Systems; Network parameters:
flags: 0x408200000480c1c3/0x0000000000000000 src_addr: 192.168.30.74
messages: 0x00000038 src_port: 64981
Connection Event: 0x7fffc4934af8 src_intf: 4
Policy ID: f4cc16da-e367-11e7-b8ef-ca207ff44967 src_zone: -1
Rule ID: 1 dst_addr: 72.4.119.2
Logging is on: 1 dst_port: 443
Cipher Suite: 53 - TLS_RSA_WITH_AES_256_CBC_SHA dst_intf: 2
SSL Version: 16 - TLS1.2 dst_zone: -1
Server Cert Status: 2 - valid ca chain, vlan: 0
URL Category Matched: 0 Matching Rule:
App ID Matched: 0 ordinal rule id: 1
Client Hello Server Name: (null) rule id: 1
rule name: Decrypt all
Verdict:
Flow action: 6 - Decrypt and resign.
Error action: 2 - Block.
SSL debug example part 1
SHELL
2017-12-17 23:24:12.712
#
NSE_FRAME__SSL_DETECTED -- found SSL CH (Client Hello), flowid=0x80000019, flags=0x112
ssl_policy_decision:2881 In ssl_policy_decision, session_id_len=32, session_tkt_len=0.
ssl_policy_decision:3093 (M) Rule 9 did not match src endpoint. Looking for: 192.168.30.74
ssl_policy_decision:3102 (M) Rule 2 did not match dst endpoint. Looking for: 72.4.119.2
match_application:1325 In match_application.
ssl_policy_decision:3305 (M) Rule 4 -- did not match URL category
ssl_policy_decision:3318 (M) Rule 1 matched.
set_verdict:2553 set_verdict: rule->action: 1, passive mode=0
SHELL
Logstr: ssl_policy_decision: Found matching rule.

Process ID: 2407
Flow context: 0x108421a0
Flow info: 0x7fffc4934e10
flowid: 0x80000019
error: 0x00000000
cipher_suite: 53 - TLS_RSA_WITH_AES_256_CBC_SHA
ssl_version: TLS1.2
server_cert_h: 1
cert summary: CN=ciscolive.com;O=Cisco Systems;
flags: 0x408200000480c1c3/0x0000000000000000
messages: 0x00000038
SHELL
Connection Event: 0x7fffc4934af8

Policy ID: f4cc16da-e367-11e7-b8ef-ca207ff44967
Rule ID: 1
Logging is on: 1
Cipher Suite: 53 - TLS_RSA_WITH_AES_256_CBC_SHA
SSL Version: 16 - TLS1.2
Server Cert Status: 2 - valid ca chain,
Client Hello Server Name: (null)
Actual Action: 6 - Decrypt and resign.
Expected Action: 6 - Decrypt and resign.
SSL Flow Status: 2 - success - SSL Rule successfully applied.
SSL Flow Error: 0x00000000 - NSLIB:Logging [0x00000000;code:0;sub:0] Success;
SSL Flow Messages: 0x00000038 - CLIENT_HELLO,SERVER_HELLO,SERVER_CERTIFICATE
SSL Flow Flags: 0x000000000480c1c3 -
VALID,INITIALIZED,SSL_DETECTED,CERTIFICATE_DECODED,FULL_HANDSHAKE,SERVER_SESSION_
ID_SEEN,CLIENT_HELLO_SESSTKT,CH_PROCESSED,SH_PROCESSED
SSL Session ID: 6ac02c9b3f8521fe5289debfa7cdc8863633d66ee02ad9cc061593e9765d1897
SHELL
Network parameters:
src_addr: 192.168.30.74
src_port: 64981
src_intf: 4
src_zone: -1
dst_addr: 72.4.119.2
dst_port: 443
dst_intf: 2
dst_zone: -1
vlan: 0
Matching Rule:
ordinal rule id: 1
rule id: 1
rule name: Decrypt all
Verdict:
Flow action: 6 - Decrypt and resign.
Error action: 2 - Block.
SSL debug example part CH Modification
SHELL
ruleLoop:707 (M) Evaluating rule 1 (DecryptAll)

decryptResignBlockHandler:569 (M) Rule eval info available
doRuleConditionsMatch:514 (M) Rule conditions match
getCHDigestToSCFingerprintMapping:192 Digest starting with 7B7FB853 gave fingerprint starting with
93829341
(M) ssl_cache_retrieve_orig_cert returned a good certificate
Rule #1 (DecryptAll) caused verdict of modify. stripHTTP2 is false
store_server_name:413 In store_server_name, flowid=0x80000027, flow_context=0x57d0430, server name:
len=17, www.ciscolive.com, _server_name_hash && name && (fid.id32 != 0)=1
Snort verdict=0, daq flags=0x212, nse flow id=0x80000027, nse flags=0x00000088c080a043, nse
messages=0x8
ssl_policy_decision:2881 In ssl_policy_decision, session_id_len=32, session_tkt_len=0.
ssl_policy_decision:3318 (M) Rule 1 matched.
set_verdict:2553 set_verdict: rule->action: 1, passive mode=0
Client Hello Tuning
SHELL
>system support ssl-client-hello-tuning
SSL Client Hello tuning of attributes ciphers_allow, ciphers_remove, extensions_allow,

extensions_remove, curves_allow, curves_remove handshake attribute
> system support ssl-client-hello-tuning extensions_remove 16,13172

Using tuning file: /etc/sf/ssl_client_hello.conf
16 = Application Layer Protocol Negotiation
Parameter and value successfully added to configuration file.
13172 = Next protocol negotiation
Configuration file contents (defaults added automatically):
extensions_remove=16,13172
'pmtool restartbytype DetectionEngine'.
> system support ssl-client-hello-reset

Using tuning file: /etc/sf/ssl_client_hello.conf
This example is used to fix block pages in
Are you certain that you wish to delete the current SSL tuning configuration file? (y/n) [n]: y HTTPS traffic.
Configuration file successfully deleted.
Agenda

• Gather data
• Analyze
URL inspection issues
Reading Flow Errors
Unknowns
Unknowns
Browser
Quickest data
Browser
More in-depth
Pcap investigation Client Hello
• Session ID
• Server Name
• Known problems
• Potential problems
Case study
Common Cases
• Certificate issues
• Decryption errors
Work through a TAC case

• Gather Data
• Analyze
Case Study 1
Problem Description from customer
• I enabled SSL policy last week without issue, however this week when I ran the
report I am seeing a lot of Do Not Decrypts. Why is my SSL policy not working?
Ask the customer?
Is there a pattern to the traffic decrypted and not decrypted.

Can we see your SSL Policy?
What does your connection event show for this traffic?
Here is the data
I am not seeing any patterns
What do we know?
This is not an isolated issue

SSL policy looks standard
He is using URL filtering as the top rule
He is having a pending server name error
Ask the customer?
Are you having URL filtering issues?
Here is the data
I have another TAC case open for URL cloud connectivity
Proposed solution
The SSL policy will take the default action if URL filtering is not
working and you are using URL rules.
Results
Once TAC fixed my URL issue SSL decryption is working as

expected. Thank you
Tac Analyse
• Certain features are dependent on other features
• Connection events hold many clues
Case Study 2
Problem Description from customer
• I recently enabled the SSL policy and suddenly my users are unable to get to
the internet.
Ask the customer?
What error messages are you seeing?

Can we see your SSL Policy?
What does your connection event show for this traffic?
Here is the data
I am getting red trust errors on my browser.
What do we know?
• SSL Policy looks correct
• Connection events are showing Decrypt and Success
• The browsers are not trusting the certificate
Ask the customer?
Can you send me a screenshot of the browser error?
Can you try different browsers?
Have you installed the certificate on the client machines?
Here is the data
I am getting errors in both chrome and firefox
All of my clients trust this certificate, I’ve used it before.
I am getting red trust errors on my browser.
Here is the data
Analyse the data
Why did he mention he has used this before?
The browsers are saying the certificate is invalid
Ask the customer?
Where did you get this certificate from?
Where else have you used this certificate?
Here is the data
I got my certificate from a public CA, I bought a wildcard
certificate
I used this certificate on all of my web servers
TAC Webex
Proposed solution
Stand up an Internal CA
Push out the CA to all of your clients
Post the public key of the CA for wireless users to download
Results
After setting up my own CA and importing it into my FMC the
errors go away. Thank you
Tac Analyse
• Wildcard certificates from public CA will not work for Decrypt Resign
See Reference slides for alternatives.
Questions?
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKSEC-3667
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Additional Information for the
presentation
Wireshark Tips for SSL Handshake
• tcp.port == <source port>
• ssl.handshake.type == 2 Server
Hello
• ssl.handshake.type == 1 Client
Hello
Importing Certificates Index
• Page 1: Overview
• Page 2: Internal CA
• Page 3: Internal CA – CSR
• Page 4: Certificate Example
• Page 5: Internal CA – CSR import
• Page 6: Certificate Install Example
• Page 7: Extracting from unsupported certificate formats
• Page 8: Internal CA – Self Signed
• Page 9: Trusted CA
• Page 10: Internal Certificate
Importing Certificates: Page 1
• Object > Object Management
• Internal CAs
• To import your certificate for Decrypt Resign
• Trusted CAs
• Import any Internal CA (Company Root CA for example)
• External Certs
• Public Certificates of servers you do not own
• Used only for filtering in SSL policy
• TAC rarely sees these
• Internal Certs
• Public Certificate and Private Key of servers you own
• Required for Decrypt Known-key
• Cert Enrollment
• VPN, not covered in this presentation
Internal CA
• Import CA
• Import an Internal CA
• If generated on Windows, use Certificate
Template of Subordinate CA
• Generate CA
• Generate a self signed certificate
• Root CA
• Generate CSR
• Sign as a Subordinate CA certificate
• Windows use Subordinate CA
Internal CA – CSR (Certificate Signing Request)
• Certificate Signing Requests are to be signed by
internal CA only
• Copy the entire Base64 test in the CSR box to a note
pad and save it as a .csr
• It should look similar to below, the important parts
are be sure to include the entire text.
• -----BEGIN CERTIFICATE REQUEST-----
• -----END CERTIFICATE REQUEST-----
• Do not add character returns or correct spacing, it
could cause issues
• Use Notepad or something similar, wordpad or
Microsoft Word add hidden characters that could
cause issues.
• Click OK and not cancel or the X
• Cancel will not save the object and lose the CSR
• This cannot be re-imported
Certificate Example
-----BEGIN CERTIFICATE REQUEST-----
MIIC6zCCAdMCAQAwZTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMQ8wDQYDVQQH
DAZGdWx0b24xDDAKBgNVBAoMA1RBQzEMMAoGA1UECwwDVEFDMRwwGgYDVQQDDBNG
aXJlcG93ZXIuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA3P8Q6Kp/LRa+uGqmiHBzyxux63NNRjMfuiRZjAUPWpUPJkooKQs5SwCjuecG
BU+aOKe7n6oxmYgNStBCLn0pBHeYYOR4ycTjNs0cyGzLRhkFdvMHfYMSd2oeRN2u
X2ZegisTMee0h1+BtmpfuQnCzqTcl3MpfxP8UtjMEixtIr+c5CQdi4WIona8+UQ0
mnodVSgzbTwsaQelMBthFWy/1mfds4zg1oHtObIboM6yEfu86yuZjAYWlILUpeVl
3iVFCAcjvu02fvGZuPyws+6TsW/+7YVHh2WSXiiIxSU3PuOMyRvQnfiK95JQBChU
W1aZ920PKBZMzAIAknFf5nrTvwIDAQABoEEwPwYJKoZIhvcNAQkOMTIwMDAdBgNV
HQ4EFgQULVRSd/wf9+EvpfB9DcXMRyglUAswDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAVNcjEBPZF2ODf7j5Ek6DHwkf+LRFnU/dY9XiWmhFAxwb
1p1iS1q93Sekq1uRO+hUGaVEfWr08tCVTrZ69Lo4t8PUHctcspUANCd9bRko1aV3
+4pD2mVudckjHcYmI/kr39BnOSxH0QxkFCGYHhG5nF4Hl4FYcmmhm1QPpkEPadIe
J7kUntGJ6QxCIlUZsMMmQIvXVnMc1F2C/QTi20scvEhnX/txJ8GfKqFEsNdjSuk1
dHUjVw6nqucYO7MWbBCiTXGYSzaAW8m2Shg4CwdSrBQjUHaLEGvkogQSXuJbgyLr
3OMOao+JJMNgKFLKWSuif02Z+bcTHDxB55O1KcG6Aw==
Internal CA – CSR Import after being Signed
• Once the CSR is signed you
should receive a new certificate
• Edit the Object seen on Page 2 to
get this menu
• Click Install Certificate
• See Page 4 for an example
Certificate Install Example
• If you were not given a password you can leave it
blank
• This accepts Base64 or a certificate file
• .cer
• .crt
• .pem
• .der
• If you receive a .pkcs12 or .pkcs7 you need to
convert it to a .pem
• Copy the entire Base64 test in the CSR box to a
note pad and save it as a .csr
• It should look similar to below, the important
parts are be sure to include the entire text.
• -----BEGIN CERTIFICATE REQUEST-----
• -----END CERTIFICATE REQUEST-----
• Do not add character returns or correct
spacing, it could cause issues
• Use Notepad or something similar, wordpad
or Microsoft Word add hidden characters that
could cause issues.
Extracting from unsupported certificate formats
• Private Key: (Encrypted)
• Openssl pkcs12 -in file.p12 -nocerts -out encrypted.key
• *Prompts for the password used when exporting THEN prompts for an encryption password for the private key
• Private Key: (Un-Encrypted)

• Openssl rsa -in encrypted.key -out decrypted.key
• *Prompts for the password for the private key
• Certificate:
• Openssl pkcs12 -in file.p12 -nokeys -out certificate.crt
• Extract Certificate chain from P7B:

• openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
• If you receive another format you should be able to find an openssl command for extracting the public
key/certificate and private key into separate files.
• Base64 output tends to be easier to work with as it can be copied and pasted where binary(.der) cannot be.
Internal CA – Self Signed
• FMC becomes the Root CA
• Open the object on page 2 then click
Download
• It requires you to create a password
• You receive a .p12 file
• This file contains the public and private key
• *Keep this file safe and do not distribute as it
creates a security issue
• Best practice is to extract just the certificate
from the .p12 and provide it to your clients
• Openssl pkcs12 -in file.p12 -nokeys -out
certificate.crt
Trusted CA
• This is for any CA you use in your
environment
• Requires just the public certificate
• Importing all CA in your environment
into this makes certain
configurations simplier
• Example ISE configuration won’t have
trust errors if you already trust the
common CA
Internal Certificate
• Required for Decrypt Known Key
• Requires both public certificate and
private key
• This accepts Base64 or a certificate
file
• .cer
• .pem
• .crt
• .der
• See page 7 for extracting from other
file types
Check the SSL policy: Page 1
• Compressed Session
• The SSL session applies a data compression method
• SSLv2 Session
• The session is encrypted with SSL version 2
• Note that traffic is decryptable if the ClientHello message is SSL 2.0, and the remainder
of the transmitted traffic is SSL 3.0.
• Unknown Cipher Suite
• The system does not recognize the cipher suite
• Software update may be required
• Unsupported Cipher Suite

• The system does not support decryption based on the detected cipher suite
Check the SSL policy: Page 2
• Session not cached
• The SSL session has session reuse
• Mid-stream pickup (SSL handshake not seen)
• Snort restart (SSL session tables)
• Handshake Errors
• An error occurred during SSL handshake negotiation
• Unsupported extension in SSL Handshake
• Extended Master Secret prior to 6.1 would cause this.
• Decryption Errors
• An error occurred during traffic decryption
• Not possible to allow this traffic, if this error occurs the session is blocked.
References for TAC cases
TAC Case open template: Page 1
• For questions about SSL errors or unexpected actions to speed up the TAC
case please open with the following:
• CSV report output of Connection Events matching this traffic*
• Please see Gather report of connection events
• Packet capture
• Client
• Sensor
• Server side
• Explanation of the applications and errors seen
• Include any recent changes you are aware of
• Troubleshoot from the sensor
Gather report of connection events: Page 1
• Take information from pcap
• Analysis > Connections > Events
• Search
• Fill out as much information as possible to narrow down
• Initiator IP
• Destination Port
• SSL Yes
• After searching ensure Table View of Connection
Events is selected
• Enable all SSL Fields
• When you click the x it disables that column, be sure to re-enable this
• In this example it would disable SSL Flow Error column
• Confirm your SSL error is seen

• Confirm this connection event matches the pcap
• On the top right click report designer
• This is often hidden by health alert drop downs
• You should see the below menu
• Confirm the time window for both tables
• Generate the report (Blue Circle)
• Select the CSV option (Green Circle)
• Generate
• It may ask you to save
• Download the CSV format
• The health menu to the right of the Deploy
• This will either be a green check, yellow triangle, or red !
• Blue circle
• Under Tasks (Green Circle)
• Click CSV
• Upload to the case
Case Study 2 Notes: Page 1
• Public certificates cannot be used for SSL Policy
• Public CAs will not sign a wildcard certificate
• Example: CN=*
• A CN=* could spoof any domain. Meaning you could create a cisco.com certificate, and if you could
redirect DNS for cisco.com to your IP the end user would see a trusted connection.
• This behaviour would break the trust of the Public Key Infrastructure.
• When using the SSL policy all connection become trusted by the end user
• The FMC keeps a revocation list
• The sensor does certificate validation
• The sensor is capable of forwarding self-signed certificates for end user validation, and
replacing just the key.
Case Study 2 Notes: Page 2
• Customer with an Active Directory Domain could use a Windows CA.
• AD pushes certificates to all domain joined machines
• This can be done with non Windows CA.
• Microsoft has many online guides to do this.
• Potential solution for non-domain users:

• Wireless users could be re-directed upon authentication to a webpage with public
certificate
• Providing instructions on how to install the certificate would help.

Brksec 3667

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3667

Uploaded by

Copyright:

Available Formats

BRKSEC-3667

Advanced Firepower SSL

• Brief overview of SSL

• Firepower Threat Defense

CERT CERT CERT Cisco.com

CERT CERT CERT

• Map out the scope

• Map out the scope

• Enable the column

Clear Browser Cache

Case study #2 notes

• Map out the scope

>Commands for adding or starting debugging

>Commands to reset, to be run at the end

Please chose domain to capture traffic from:

Please specify tcpdump options desired.

Destination filename [capin]?

>system support capture-traffic

Please chose domain to capture traffic from:

Please specify tcpdump options desired.

>system support capture-traffic

Please chose domain to capture traffic from:

Please chose domain to capture traffic from:

Please specify tcpdump options desired.

• -w <filename> writes to file in /ngfw/var/common

Configuration file successfully deleted.

#admin@2110:~$grep -i <domain> ssl_debug*

#admin@2110:~$grep -i <domain> ssl_debug*

Logstr: ssl_policy_decision: Found matching rule.

Connection Event: 0x7fffc4934af8

ruleLoop:707 (M) Evaluating rule 1 (DecryptAll)

>system support ssl-client-hello-tuning

SSL Client Hello tuning of attributes ciphers_allow, ciphers_remove, extensions_allow,

> system support ssl-client-hello-tuning extensions_remove 16,13172

> system support ssl-client-hello-reset

• Map out the scope

• Map out the scope

Is there a pattern to the traffic decrypted and not decrypted.

What does your connection event show for this traffic?

This is not an isolated issue

He is using URL filtering as the top rule

He is having a pending server name error

Are you having URL filtering issues?

I have another TAC case open for URL cloud connectivity

Once TAC fixed my URL issue SSL decryption is working as

What error messages are you seeing?

What does your connection event show for this traffic?

Have you installed the certificate on the client machines?

All of my clients trust this certificate, I’ve used it before.

I am getting red trust errors on my browser.

The browsers are saying the certificate is invalid

Where else have you used this certificate?

Post the public key of the CA for wireless users to download

• Private Key: (Un-Encrypted)

• Extract Certificate chain from P7B:

• Unsupported Cipher Suite

• Confirm your SSL error is seen

• Upload to the case

• Potential solution for non-domain users:

You might also like