topic Re: SSL decryption alert or log in General Topics

SSL decryption alert or log

Carpetright — Fri, 15 Dec 2017 15:15:53 GMT

We use SSL decryption and from time to time we have issue with web sites and apps not working because we are decrypting their traffic.

If its a web site that doesnt like ssl decryption most of the time the end user will get the relevant response page, but our issue is with applications or windows apps that doesnt like ssl decryption because we dont get a response page we just get an error in the app

When we check the firewall there is nothing clear in the logs (Traffic and or URL filtering) that SSL decryption is causing issues, so troubleshootingtakes a lot longer.

Is there anyway that we can get logs for SSL decryption issues?

Hope this makes sense

Re: SSL decryption alert or log

OtakarKlier — Fri, 15 Dec 2017 16:40:40 GMT

Hello,

The way I have done it inthe past is make sure nothing is trying to reach out from that PC to the internet and start the intended action, i.e. windows updates. Then I filter the unified logs to see which URL they are reaching out to. From there is a bit of a hit or miss to see which URL's I need to allow. Once I find it I usually have to allow the application and make sure the URL's are not being decrypted.

Hope that helps and makes sense.

Regards,

Re: SSL decryption alert or log

Carpetright — Fri, 02 Feb 2018 14:58:11 GMT

Thats kinda what i have been doing but its still a pain and i was hoping there might be an easier way to find out if a site/app doesnt like having its SSL decrypted

Re: SSL decryption alert or log

OtakarKlier — Fri, 02 Feb 2018 15:14:42 GMT

Hello,

I think that is something we all want. I dont know of any way except a user notifying me :(.

Sorry

Re: SSL decryption alert or log

BPry — Fri, 02 Feb 2018 22:44:19 GMT

@Carpetright @OtakarKlier,

They did release a few new session_end_reasons in 7.1 that actually do help in seeing when a website has issues with decryption. It still isn't perfect, and doesn't even necissarly guarentee they are having an issue, but it at least gives you something to look for.

( session_end_reason eq decrypt-unsupport-param ) or ( session_end_reason eq decrypt-cert-validation ) or ( session_end_reason eq decrypt-error )

Re: SSL decryption alert or log

Carpetright — Mon, 05 Feb 2018 09:13:48 GMT

That looks like it could do the trick! just tested it out and its the nearest thing we are going to get

Cheers