Decryption Policy Advanced Options

A decryption policy 's Advanced Settings page has global settings that are applied to all managed devices that are configured for Snort 3 to which the policy is applied.

A decryption policy advanced settings are all ignored on any managed device that runs:

A version earlier than 7.1
Snort 2

Block flows requesting ESNI

Encrypted Server Name Indication (ESNI (link to draft proposal)) is a way for a client to tell a TLS 1.3 server what the client is requesting. Because the SNI is encrypted, you can optionally block these connections because the system cannot determine what the server is.

Disable HTTP/3 advertisement

This option strips HTTP/3 (RFC 9114) from the ClientHello in TCP connections. HTTP/3 is part of the QUIC transport protocol, not the TCP transport protocol. Blocking clients from advertising HTTP/3 provides protection against attacks and evasion attempts potentially burried within QUIC connections.

Propagate untrusted server certificates to clients

This applies only to traffic matching a Decrypt - Resign rule action.

Enable this option to substitute the certificate authority (CA) on the managed device for the server's certificate in cases where the server certificate is untrusted. An untrusted server certificate is one that is not listed as a trusted CA in the Cisco Security Cloud Control(Objects, Objects > Object Management > PKI > Trusted CAs).

Enable TLS 1.3 Decryption

Whether to apply decryption rules to TLS 1.3 connections. If you do not enable this option, the decryption rules apply to TLS 1.2 or lower traffic only. See TLS 1.3 Decryption Best Practices.

Enable adaptive TLS server identity probe

Automatically enabled when TLS 1.3 decryption is enabled. A probe is a partial TLS connection with the server, the purpose of which is to obtain the server certificate and cache it. (If the certificate is already cached, the probe is never established.)

If TLS 1.3 Server Identity Discovery is disabled on the access control policy with which the decryption policy is associated, we attempt to use the Server Name Indication (SNI), which is not as reliable.

The adaptive TLS server identity probe occurs on any of the following conditions as opposed to on every connection as in earlier releases:

Certificate Issuer—Matched when the value of Issuer DNs in a decryption rule's DN rule condition is matched.

For more information, see Distinguished Name (DN) Rule Conditions.
Certificate Status—Matched when any of the Cert Status conditions are matched in a decryption rule.

For more information, see Certificate Status Decryption Rule Conditions.
Internal/External Certificate—Internal certificates can be matched by the certificate used in Decrypt - Known Key rule actions; external certificates can be matched in Certificates rule conditions.

For more information, see Known Key Decryption (Incoming Traffic) and Certificate Decryption Rule Conditions.
Application ID—Can be matched by Applications rule conditions in either an access control policy or a decryption policy.

For more information, see Application Rule Conditions.
URL Category—Can be matched by URLs rule conditions in an access control policy.

For more information, see URL Rule Conditions.

Note

Enable adaptive TLS server discovery mode is not supported on any Secure Firewall Threat Defense Virtual deployed to AWS. If you have any such managed devices managed by the Cisco Security Cloud Control, the connection event PROBE_FLOW_DROP_BYPASS_PROXY increments every time the device attempts to extract the server certificate.

QUIC Decryption

Whether to apply decryption rules to connections that use the HTTP/3 over the QUIC protocol. When you decrypt QUIC connections, the system can inspect the contents of the sessions for intrusions, malware, or other issues. You can also apply granular control and filtering of decrypted QUIC connections based on specific criteria in the access control policy. QUIC support is in line with RFC 9000, 9001, 9002, 9114, 9204.

Consider the following when implementing QUIC decryption:

QUIC decryption is not supported on high availability or clustered devices. Multi-instance is supported.
Rules that apply to QUIC traffic would include the UDP protocol with destination port 443.
Access control rules that apply to QUIC traffic would include the HTTP/3 or QUIC protocols, either explicitly or by implication.

The following limitations apply to QUIC decryption:

QUIC decryption applies to Threat Defense 7.6+ only. Devices running a lower release cannot decrypt QUIC connections.
Connections from browsers using the Chromium stack (Google Chrome, Opera, Edge) cannot be decrypted for outbound traffic. But inbound traffic from the same browsers can be decrypted.
Connection Migration as described in RFC 9000 is not supported. The concept of Connection ID in QUIC allows endpoints to retain the same connection in the event of address change.
Key update, session resumption, and QUIC version 2 are not supported.
Interactive Block and Interactive Block with Reset (in access control rules) is not supported. These actions will work as Block and Block with Reset.
The active connection-ID per connection is limited to 5. The maximum stream support per connection is limited to 25. If necessary, you can modify these limits using the system support quic-tuning and system support quic-tuning-reset commands in the device CLI.