Decryption Policy Advanced Options

A decryption policy 's Advanced Settings page has global settings that are applied to all managed devices that are configured for Snort 3 to which the policy is applied.

A decryption policy advanced settings are all ignored on any managed device that runs:

A version earlier than 7.1
Snort 2

Block flows requesting ESNI

Encrypted Server Name Indication (ESNI (link to draft proposal)) is a way for a client to tell a TLS 1.3 server what the client is requesting. Because the SNI is encrypted, you can optionally block these connections because the system cannot determine what the server is.

Disable HTTP/3 advertisement

This option strips HTTP/3 (RFC 9114) from the ClientHello in TCP connections. HTTP/3 is part of the QUIC transport protocol, not the TCP transport protocol. Blocking clients from advertising HTTP/3 provides protection against attacks and evasion attempts potentially burried within QUIC connections.

Propagate untrusted server certificates to clients

This applies only to traffic matching a Decrypt - Resign rule action.

Enable this option to substitute the certificate authority (CA) on the managed device for the server's certificate in cases where the server certificate is untrusted. An untrusted server certificate is one that is not listed as a trusted CA in the Cisco Defense Orchestrator(Objects > FTD Network Objects, Objects > Object Management > PKI > Trusted CAs).

Enable TLS 1.3 Decryption

Whether to apply decryption rules to TLS 1.3 connections. If you do not enable this option, the decryption rules apply to TLS 1.2 or lower traffic only. See TLS 1.3 Decryption Best Practices.

Enable adaptive TLS server identity probe

Automatically enabled when TLS 1.3 decryption is enabled. A probe is a partial TLS connection with the server, the purpose of which is to obtain the server certificate and cache it. (If the certificate is already cached, the probe is never established.)

If TLS 1.3 Server Identity Discovery is disabled on the access control policy with which the decryption policy is associated, we attempt to use the Server Name Indication (SNI), which is not as reliable.

The adaptive TLS server identity probe occurs on any of the following conditions as opposed to on every connection as in earlier releases:

Certificate Issuer—Matched when the value of Issuer DNs in a decryption rule's DN rule condition is matched.

For more information, see Distinguished Name (DN) Rule Conditions.
Certificate Status—Matched when any of the Cert Status conditions are matched in a decryption rule.

For more information, see Certificate Status Decryption Rule Conditions.
Internal/External Certificate—Internal certificates can be matched by the certificate used in Decrypt - Known Key rule actions; external certificates can be matched in Certificates rule conditions.

For more information, see Known Key Decryption (Incoming Traffic) and Certificate Decryption Rule Conditions.
Application ID—Can be matched by Applications rule conditions in either an access control policy or a decryption policy.

For more information, see Application Rule Conditions.
URL Category—Can be matched by URLs rule conditions in an access control policy.

For more information, see URL Rule Conditions.

Note

Enable adaptive TLS server discovery mode is not supported on any Secure Firewall Threat Defense Virtual deployed to AWS. If you have any such managed devices managed by the Cisco Defense Orchestrator, the connection event PROBE_FLOW_DROP_BYPASS_PROXY increments every time the device attempts to extract the server certificate.