Cisco Bug: CSCuj28814 - PRSM ENH Ability to decrypt traffic from untrusted sources
May 26, 2015
- Cisco ASA Next-Generation Firewall Services
Known Affected Releases
Symptom: Currently we can configure PRSM to decrypt https traffic. Normally traffic from untrusted sources for which certificate validation fails is dropped. We can change that behavior to accept that traffic. But that traffic will never be decrypted - even when decryption policies are set to decrypt all traffic. We should add a possibility to decrypt that traffic: 1. it should be treated as any other encrypted traffic (possibility to dectrypt it in decryption policies) 2. in decryption policies and access policies we should have addiotional condition/argument called "SSL Trust Level" with values: - unknown (http traffic) - untrusted (https with certificate validation failure) - trusted (https with certificate validation success) Possible other values: - low level trust (https with wildcard certificate validated correctly) - high level trust (https with certificate validated correctly and identity highly confimed by CA) Conditions: Encrypted traffic from untrusted sources even when accepted will never be decrypted.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases