Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Ironport decrypting traffic on its own

We had a situation come up today;  we have users that access a site that uses digital certificates (Fedline) for access, and it stopped worked for all users at  multiple branches this morning.  It didn't give any kind of error message - the login (user/pass) page for the site was fully accessible.  Since we are set up with certificates, we don't have the login credentials.  The distant end swore up and down that everything was good on their end. (and it was.)

Turns out, Ironport started dropping/decrypting traffic to that IP address.   The fix action was to add the decrypted IP to our 'Nodecrypt' category.  This had been functioning correctly for months, but we are concerned because it caused a significant outage, and we didn't make any changes to Ironport, but it definitely started treating the traffic destined for that IP differently.  What would cause this kind of behavior?  Is there a way to stop it from doing this again? 

Mike C

3 REPLIES

Ironport decrypting traffic on its own

I had this issue with a bank or two using Entrust, when I added Entrust's intermediate cert to the the WSA, it started decrypting traffic.  I'm not sure if its a bug in the WSA where they aren't following the chain, or if the web site should be importing the intermediate cert...

Assuming IE, View the cert using the browser, on the details tab, click the Copy to File button, save it as a Base-64 encoded x.509.

Then in the WSA, to go Security Services/HTTPS Proxy, click on Manage Trusted Root Certificates... near the bottom, and import the new one.

New Member

Ironport decrypting traffic on its own

Thanks Ken...  but what I am not clear on is why Ironport started treating this traffic differently out of the blue, without any configuration changes.  It happened again this morning with a different IP, same site (although I think importing the certificate like you said would have prevented it from happening, I am off to find a user with the cert)

Just really frustrating and we REALLY want to avoid surprises like this in the future.  If anyone has any ideas on how to prevent this from happening again I am all ears.

Ironport decrypting traffic on its own

Michael,

The piece you're missing is that the web site updated their cert... and/or didn't upload the intermediate cert to the web server.

It was issued 4/10/13, and given how high profile this is, they may not have actually rolled it public without testing etc. so you may not have seen it until now...

You don't have to go find a user, you can get the public and intermediate certs for Entrust yourself, either by going to the site in question using the browser to export each cert, or from Entrust:http://www.entrust.net/knowledge-base/technote.cfm?tn=7869

Now, there is a spot for Cisco to do something here... as the already ship with the Entrust 2048 cert in their trusted store, so why intermediate stuff isn't working, I don't know... Maybe someone from Cisco can pipe in here...

Ken

343
Views
0
Helpful
3
Replies
CreatePlease to create content