12-15-2017 07:15 AM
Hi
We use SSL decryption and from time to time we have issue with web sites and apps not working because we are decrypting their traffic.
If its a web site that doesnt like ssl decryption most of the time the end user will get the relevant response page, but our issue is with applications or windows apps that doesnt like ssl decryption because we dont get a response page we just get an error in the app
When we check the firewall there is nothing clear in the logs (Traffic and or URL filtering) that SSL decryption is causing issues, so troubleshootingtakes a lot longer.
Is there anyway that we can get logs for SSL decryption issues?
Hope this makes sense
02-02-2018 02:44 PM
They did release a few new session_end_reasons in 7.1 that actually do help in seeing when a website has issues with decryption. It still isn't perfect, and doesn't even necissarly guarentee they are having an issue, but it at least gives you something to look for.
( session_end_reason eq decrypt-unsupport-param ) or ( session_end_reason eq decrypt-cert-validation ) or ( session_end_reason eq decrypt-error )
12-15-2017 08:40 AM
Hello,
The way I have done it inthe past is make sure nothing is trying to reach out from that PC to the internet and start the intended action, i.e. windows updates. Then I filter the unified logs to see which URL they are reaching out to. From there is a bit of a hit or miss to see which URL's I need to allow. Once I find it I usually have to allow the application and make sure the URL's are not being decrypted.
Hope that helps and makes sense.
Regards,
02-02-2018 06:58 AM
Hi
Thats kinda what i have been doing but its still a pain and i was hoping there might be an easier way to find out if a site/app doesnt like having its SSL decrypted
02-02-2018 07:14 AM
Hello,
I think that is something we all want. I dont know of any way except a user notifying me :(.
Sorry
02-02-2018 02:44 PM
They did release a few new session_end_reasons in 7.1 that actually do help in seeing when a website has issues with decryption. It still isn't perfect, and doesn't even necissarly guarentee they are having an issue, but it at least gives you something to look for.
( session_end_reason eq decrypt-unsupport-param ) or ( session_end_reason eq decrypt-cert-validation ) or ( session_end_reason eq decrypt-error )
02-05-2018 01:13 AM
That looks like it could do the trick! just tested it out and its the nearest thing we are going to get
Cheers
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
