SSL Decryption - What categories do you decrypt?

networkadmin — Sun, 27 Apr 2014 13:05:45 GMT

Right now we have a policy to never decrypt shopping and finance/banking sites, and we decrypt web based email and social networking.

I know there are issues with certain applications (Windows Update I believe?) if you try to decrypt so I wondered what your decryption/inspection policies are?

Re: SSL Decryption - What categories do you decrypt?

dieter_b — Mon, 26 Jun 2023 15:55:22 GMT

The tech note on configuring SSL decryption Controlling SSL Decryption lists the default categories you should use as a start and some you should not.

You will always stumble on certain applications that don't cope well with SSL decryption, so you'll have to exclude those. Typical example is bank transaction software, they probably do extra checks on the certificate chain. Another very specific one is Java. Not because it's Java, but because it has its own certificate store (you'd have to import your intermediate CA separately if you have Java applications that use ssl).

But I wouldn't do exclusion on category level (you'll exclude way too much). Just do it per application, like the tech note says. We use a "decryption exception" rule that uses an address group (containing fqdn as well as ip address objects). Good application vendors will be able to supply you with a list of ip's and/or url's their application needs. If they don't you'll have to find out yourself (disable ssl decryption and monitor the logs).

Only way to find out is enabling SSL decryption, so be ready to take some time troubleshooting.

topic SSL Decryption - What categories do you decrypt? in General Topics

SSL Decryption - What categories do you decrypt?

Re: SSL Decryption - What categories do you decrypt?