Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1313
Views
0
Helpful
2
Replies

Please explain the “TLS 1.3 Server Identity Discovery” feature?

m1xed0s
Spotlight
Spotlight

‎04-08-2023 05:57 AM - edited ‎04-08-2023 06:16 AM

As the title suggests, can someone please explain the “TLS 1.3 Server Identity Discovery” feature from true technical perspective? How does it work and how would it impact encrypted traffic?

I thought I know what the feature does but I have got burned by it twice in last couple of months…neither case, TAC could explain why…

Case 1, I turned on this feature, aka “Early application detection and URL categorization” on a FTD running as transparent mode with v7.2 firmware. Once deployment is done, all user SSL/TLs traffic got dropped…no blocking events captured though…the fix was to turn the feature off.

Case 2, I turned on this feature on a FTD running in routed mode with v7.0 firmware. It did not drop user SSL/TLS traffic but it impacted a multi-tier application where inter-tier traffic is traversing through FTD…again silence drop/impact with no events showing…again the fix is to disable the feature in ACP…

In either cases, there were ACP rules matching URL categories but not rules for match APP categories….My thought/understanding of the feature was/is the FTD would probe the server cert for TLS 1.3 traffic to determine the App generating this traffic without the needs to decrypt the traffic. It should not in any circumstances to filter/drop TLS traffic, even if FTD can not determine the App…so am I wrong?

It is supposed to be a simple and useful security feature but…please someone knows more to explain.

 

0 Helpful
2 Replies 2

Octavian Szolga
Level 4
Level 4

‎04-08-2023 06:29 AM - edited ‎04-08-2023 06:36 AM

https://www.youtube.com/watch?v=pgjZvgUkcCQ

Later edit: sorry, now I saw your scenarios.
The 1st thing that came to my mind is how does it probe the destination server in transparent mode..

The 2nd thing - do you have an SSL policy in place for your traffic?

Maybe you're hitting a bug?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd80741

My notes:

No SSL Policy present:
- If no SNI is present, the connection is not matched for TLS 1.3 (server certificate is encrypted)
- If SNI is present, the URL filtering matches based on client SNI option (may be spoofed)
- If SNI is present and early app detection enabled, FTD creates a sidecar connection to same server and checks server cert fields; connection is allowed based on server cert; if SNI does not matches server cert, connection is blocked;

BR,

Octavian

0 Helpful

m1xed0s
Spotlight
Spotlight
In response to Octavian Szolga

‎04-08-2023 08:40 AM

Thanks for the info, especially the bug. I think my 2nd case is that bug…but again why this feature even drops packets while the name suggests detection!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card