SSL decryption alert or log

Reply
L1 Bithead

SSL decryption alert or log

Hi

 

We use SSL decryption and from time to time we have issue with web sites and apps not working because we are decrypting their traffic.

 

If its a web site that doesnt like ssl decryption most of the time the end user will get the relevant response page, but our issue is with applications or windows apps that doesnt like ssl decryption because we dont get a response page we just get an error in the app

 

When we check the firewall there is nothing clear in the logs (Traffic and or URL filtering) that SSL decryption is causing issues, so troubleshootingtakes a lot longer.

 

Is there anyway that we can get logs for SSL decryption issues?

 

Hope this makes sense

Tags (1)
L7 Applicator

Re: SSL decryption alert or log

Hello,

 

The way I have done it inthe past is make sure nothing is trying to reach out from that PC to the internet and start the intended action, i.e. windows updates. Then I filter the unified logs to see which URL they are reaching out to. From there is a bit of a hit or miss to see which URL's I need to allow. Once I find it I usually have to allow the application and make sure the URL's are not being decrypted.

 

Hope that helps and makes sense.

 

Regards,

L1 Bithead

Re: SSL decryption alert or log

Hi

 

Thats kinda what i have been doing but its still a pain and i was hoping there might be an easier way to find out if a site/app doesnt like having its SSL decrypted

L7 Applicator

Re: SSL decryption alert or log

Hello,

I think that is something we all want. I dont know of any way except a user notifying me :(.

 

Sorry

L7 Applicator

Re: SSL decryption alert or log

@Carpetright@Otakar.Klier,

They did release a few new session_end_reasons in 7.1 that actually do help in seeing when a website has issues with decryption. It still isn't perfect, and doesn't even necissarly guarentee they are having an issue, but it at least gives you something to look for. 

 

( session_end_reason eq decrypt-unsupport-param ) or ( session_end_reason eq decrypt-cert-validation ) or ( session_end_reason eq decrypt-error )
L1 Bithead

Re: SSL decryption alert or log

That looks like it could do the trick! just tested it out and its the nearest thing we are going to get 

 

Cheers

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!