Guest

Preview Tool

Cisco Bug: CSCun10896 - CX can't deny SSL if server sends multiple Handshake msg per TLS Record

Last Modified

Aug 14, 2014

Products (1)

  • Cisco ASA Next-Generation Firewall Services

Known Affected Releases

9.2(1.2.50)

Description (partial)

Symptom:
In general, TLS/SSL Server can send its messages in two different ways:
One Handshake message per TLS Record
Multiple Handshake messages per TLS Record

According to 9.2(1.2) Build 50 release notes
"URL category and web reputation are now available for TLS/SSL traffic even if you do not enable decryption. Access policies that use URL filtering or web reputation filtering will now apply correctly to undecrypted TLS/SSL connections."

The above is true only if the server sends one Handshake message per TLS Record.

In case of multiple Handshake messages per TLS RecordChecking the CX tls_proxy.log (TLS Decryption Engine = TRACE) we can see:
 TRACE TLS_Proxy            - [session_id: 137391014] isMoreDataNeeded: server cetificate NOT_FOUND
 TRACE TLS_Proxy            - [session_id: 141711994] isMoreDataNeeded: packet from client seen.
 TRACE TLS_Proxy            - [session_id: 137391014] isMoreDataNeeded: packet from client seen.
 TRACE TLS_Proxy            - [session_id: 141711994] isMoreDataNeeded: packet from server seen.
 TRACE TLS_Proxy            - [session_id: 141711994] isMoreDataNeeded: original sessionData found.
 TRACE TLS_Proxy            - Entered TlsSnifferBuffer::sniffServerCert. length = 43
 TRACE TLS_Proxy            - TlsSnifferBuffer::sniffServerCert: Loop starting, remLen = 43
 TRACE TLS_Proxy            - [session_id: 141711994] isMoreDataNeeded: server cetificate BAD_FORMAT
 DEBUG TLS_Proxy            - [session: 141711994] getConnectionAccessVerdict returned decision: ALLOW

CX should be able to deny traffic even if server sends multiple Handshake messages per TLS Record

Conditions:
Server sends multiple Handshake messages per TLS Record
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.