How to deal and how to troubleshoot TLS certificate pinning with SSL Decryption on Firepower Threat Defense (Cisco Secure Firewall)

Some applications use a technique referred to as TLS/SSL pinning or certificate pinning, which embeds the fingerprint of the original server certificate in the application itself. As a result, if you configured a TLS/SSL rule with a Decrypt – Resign action, and this rule matches this traffic,  when the application receives a resigned certificate from Cisco FTD (Firepower Threat Defense), the validation fails and the connection is aborted.

In the capture wireshark from the client side connection or the application you can detect this failed validation with the TLS alert message , The Alert Message indicates the spoofed re-signed certificate is not recognized by the application because the application is expecting to receive and validate only server certificate signed by a specific CA (Certification Authority) but it is receiving the server certificate signed by the Firewall Cisco FTD, finally a TCP Reset is sent by the application to close the TCP connection.

If your browsers or your applications uses certificate pinning to verify a server certificate, you cannot decrypt this traffic by re-signing the server certificate. You can use Pinned Certificate applications tag available in the SSL Policy. Use this tag to match application traffic that should bypass decryption with Do not decrypt action.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s