TLS Crypto Acceleration Guidelines and Limitations
Keep the following in mind if your managed device has TLS crypto acceleration enabled.
HTTP-only performance
Using TLS crypto acceleration on a managed device that is not decrypting traffic can affect performance.
Federal Information Processing Standards (FIPS)
If TLS crypto acceleration and Federal Information Processing Standards (FIPS) are both enabled, connections with the following options fail:
-
RSA keys less than 2048 bytes in size
-
Rivest cipher 4 (RC4)
-
Single Data Encryption Standard (single DES)
-
Merkle–Damgard 5 (MD5)
-
SSL v3
FIPS is enabled when you configure the management center and managed devices to operate in a security certifications compliance mode. To allow connections when operating in those modes, you can configure web browsers to accept more secure options.
For more information:
-
Ciphers supported by FIPS: About SSL Settings.
TLS heartbeat
Some applications use the TLS heartbeat extension to the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols defined by RFC6520. TLS heartbeat provides a way to confirm the connection is still alive—either the client or server sends a specified number of bytes of data and requests the other party echo the response. If this is successful, encrypted data is sent.
When a managed device with TLS crypto acceleration enabled encounters a packet that uses the TLS heartbeat extension, the managed device takes the action specified by the setting for Decryption Errors in the decryption policy's Undecryptable Actions:
-
Block
-
Block with reset
For more information, see Default Handling Options for Undecryptable Traffic.
To determine whether applications are using TLS heartbeat, see Troubleshoot TLS Heartbeat.
You can configure a Max Heartbeat Length in a Network Analysis Policy (NAP) to determine how to handle TLS heartbeats. For more information, see The SSL Preprocessor.
TLS/SSL oversubscription
TLS/SSL oversubscription is a state where a managed device is overloaded with TLS/SSL traffic. Any managed device can experience TLS/SSL oversubscription but only managed devices that support TLS crypto acceleration provide a configurable way to handle it.
When a managed device with TLS crypto acceleration enabled is oversubscribed, any packet received by the managed device is acted on according to the setting for Handshake Errors in the decryption policy's Undecryptable Actions:
-
Inherit default action
-
Do not decrypt
-
Block
-
Block with reset
If the setting for Handshake Errors in the decryption policy's Undecryptable Actions is Do Not decrypt and the associated access control policy is configured to inspect the traffic, inspection occurs; decryption does not occur.
If a significant amount of oversubscription is occurring, you have the following options:
-
Upgrade your managed devices to increase TLS/SSL processing capacity.
-
Change your decryption policies to add Do Not Decrypt rules for traffic that is not a high priority to decrypt.