Guest

Preview Tool

Cisco Bug: CSCuj28814 - PRSM ENH Ability to decrypt traffic from untrusted sources

Last Modified

May 26, 2015

Products (1)

  • Cisco ASA Next-Generation Firewall Services

Known Affected Releases

100.3(0.2.26)

Description (partial)

Symptom:
Currently we can configure PRSM to decrypt https traffic. Normally traffic from untrusted sources for which certificate validation fails is dropped. We can change that behavior to accept that traffic.
But that traffic will never be decrypted - even when decryption policies are set to decrypt all traffic.


We should add a possibility to decrypt that traffic:
1. it should be treated as any other encrypted traffic (possibility to dectrypt it in decryption policies)
2. in decryption policies and access policies we should have addiotional condition/argument called "SSL Trust Level" with values:
- unknown (http traffic)
- untrusted (https with certificate validation failure)
- trusted (https with certificate validation success)
Possible other values:
- low level trust (https with wildcard certificate validated correctly)
- high level trust (https with certificate validated correctly and identity highly confimed by CA)

Conditions:
Encrypted traffic from untrusted sources even when accepted will never be decrypted.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.