topic Re: troubleshooting SSL decryption in General Topics

troubleshooting SSL decryption

dieter_b — Fri, 14 Feb 2014 10:13:35 GMT

We've been using SSL decryption for a while now.

Where for the most websites, this is not an issue, once in a while a user complains that certain https website doesn't load at all. Browser just keeps loading indefinitely.

We can't find a reason in the logs, traffic is allowed, not blocked, decrypted flag is checked in the log detail.

For now our workaround is to add those websites to an encryption exception list (address group). But that list is starting to grow to 30+ addresses.

Two problems with this approach:

- the list is hard to maintain

- no SSL decryption, so no full App-ID visiblity for those

How can I troubleshoot this, how can I determine the real reason the sites don't load ?

Re: troubleshooting SSL decryption

VinceM — Fri, 14 Feb 2014 13:56:12 GMT

Hi,

Reason for decryption fail shold be:

- Client cert used

- Non RFC app

- unsupported crypto setting

From cli you can use command like:

show system setting ssl-decrypt ecclude-cache

Carefull not trying to decrypt too many thing according law

Hope help

Re: troubleshooting SSL decryption

mbutt — Fri, 14 Feb 2014 17:24:57 GMT

I am not sure what software version you are on but there was a fix that went in 4.1.9

Bug 43507:Due to a buffering issue, firewalls configured with SSL forward proxy decryption caused performance issues for clients when downloading a large number of files (16k +) from web servers over HTTPS.

If you are on 4.1.8 i would recommend upgrading.

Thanks

Numan

Re: troubleshooting SSL decryption

dieter_b — Mon, 17 Feb 2014 07:16:18 GMT

We're on 5.0.8, so that's probably another issue. Thanks anyway.

Re: troubleshooting SSL decryption

dieter_b — Mon, 17 Feb 2014 07:21:29 GMT

Thanks, didn't know that command.

At least we now can confirm if there's a problem with certain website.

Currently I see all timing out for reason CERT_UNSUPPORTED. Any setting where I can say if that's te reason, don't decrypt and continue ?

Re: troubleshooting SSL decryption

HULK — Mon, 17 Feb 2014 07:56:41 GMT

Hello Sir,

Yes, you can change the settings under the decryption profile assigned to the decryption policy and I disabled ( uncheck) the option "Block sessions with unsupported cipher suites".

Thanks

Re: troubleshooting SSL decryption

dieter_b — Mon, 17 Feb 2014 08:02:49 GMT

Great info, I'll try that

Re: troubleshooting SSL decryption

kasito — Wed, 20 Mar 2019 14:44:33 GMT

Hello Guys,

What is the best way to troubleshoot SSL interception?

Here I have an exception with:

Issuer: RapidSSL RSA CA 2018

Status: untrusted

Ok great but I don't understand why the certificate is untrusted. I am trying to find some information in logs but I don't fing anything relevant. The relevant CA is trusted.

Is there some commands to troubleshoot that? Maybe the only way in the packet capture.

Thanks.

Best regards