Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

OpenVPN Interception

Hi

I would like to know if OpenVPN (SSL VPN) can be intercepted by by proxy appliances like Cisco Ironport & Bluecoat amongest others? I raise this question because comapnies are now interecpting HTTPS trafiic using these appliances with fake certficates. This allows the decypting of HTTPS without the enduser aware that it is happening. 

I have not been able to find any reference on the net to this my question. My question to the Security experts are is OpenVPN susceptable to interception since it also relies certficiates? If OpenVPN can be intercepted what are the technical details of how this is done.

Thanks in advance.

Regards

Everyone's tags (2)
1 REPLY
Cisco Employee

OpenVPN Interception

Hi ms4561

I don't know OpenVPN personally, but any application that uses SSL should verify that the certificate presented by the peer is valid and belongs to the peer.

E.g.  when the Cisco Anyconnect client receives a fake cert from a proxy then it will  either (depending on version and settings)

- deny the connection and inform the user why, or

- inform the user of the certificate mismatch and offer options to cancel the connection or continue anyway.

So  "decrypting of HTTPS without the enduser aware" can only happen if the application is not doing proper certificate validation, or if the user just clicks continue without realizing what he is doing (a very real threat nowadays, unfortunately).

hth

Herbert

1013
Views
0
Helpful
1
Replies
CreatePlease login to create content