SSL/TLS Decryption rule errors

Hi Akilae,

seems we have the same problems here... Have you found a solution for that behaviour?

Greetings

Marco

The underlying issue is that we upgraded openssl in v20, which changes default support for certain encryption types.  If you use the out of box "SecurityAppliance_SSL_CA" or the "Default" CA then everything is fine.

However if you changed to use the Default CA, and have also regenerated the Default CA as EC then it will fail to load the CA on startup.  This is due to an order of operations issue where we load the CA before enabling encryption types.  Changing the configuration later causes a reload of the CAs, which now works because the support for encryption types has already been done (at service start).

The reason it periodically stops working every few days the XG downloads new ips signatures and restarts the ips process, leading to the order-of-operations during start.


Workaround Option 1:
Go to Web > General Settings > HTTPS scanning certificate authority and change to SecurityAppliance_SSL_CA
Go to Rules and policies > SSL/TLS inspection rules >>SSL/TLS inspection settings and make the same change for the Re-sign with.
Note: This will change the CA which means you will need to redeploy the new CA you are using to the clients.

Workaround Option 2:
Go to Rules and policies > SSL/TLS inspection rules and disable (turn off) all rules.
Wait for the hotfix to be deployed (I will notify this thread).
Re-enable the Decrypt rules
Note: This will lower protection and visibility for awhile until the hotfix is available.  But there is no impact to end users.

We will be doing a hotfix for this.

Edit: Added additional workaround and confirmed hotfix.

The underlying issue is that we upgraded openssl in v20, which changes default support for certain encryption types.  If you use the out of box "SecurityAppliance_SSL_CA" or the "Default" CA then everything is fine.

However if you changed to use the Default CA, and have also regenerated the Default CA as EC then it will fail to load the CA on startup.  This is due to an order of operations issue where we load the CA before enabling encryption types.  Changing the configuration later causes a reload of the CAs, which now works because the support for encryption types has already been done (at service start).

The reason it periodically stops working every few days the XG downloads new ips signatures and restarts the ips process, leading to the order-of-operations during start.


Workaround Option 1:
Go to Web > General Settings > HTTPS scanning certificate authority and change to SecurityAppliance_SSL_CA
Go to Rules and policies > SSL/TLS inspection rules >>SSL/TLS inspection settings and make the same change for the Re-sign with.
Note: This will change the CA which means you will need to redeploy the new CA you are using to the clients.

Workaround Option 2:
Go to Rules and policies > SSL/TLS inspection rules and disable (turn off) all rules.
Wait for the hotfix to be deployed (I will notify this thread).
Re-enable the Decrypt rules
Note: This will lower protection and visibility for awhile until the hotfix is available.  But there is no impact to end users.

We will be doing a hotfix for this.

Edit: Added additional workaround and confirmed hotfix.

Thank you for your efforts. Since I used the workaround it is running stable.