TLS 1.3 Decryption Best Practices
Recommendation: When to enable advanced options
Both the decryption policy and the access control policy have advanced options that affect how traffic is handled, whether the traffic is being decrypted or not.
The advanced options are:
-
Decryption policy:
-
TLS 1.3 decryption
-
TLS adaptive server identity probe
-
-
Access control policy: TLS 1.3 Server Identity Discovery
The access control policy setting takes precedence over the decryption policy setting.
Use the following table to decide which option to enable:
|
TLS adaptive server identity probe setting (decryption policy) |
TLS 1.3 Server Identity Discovery setting (access control policy) |
Result |
Recommended when |
|---|---|---|---|
|
Enabled |
Disabled |
Adaptive probe sent if decryption policy contains any rule conditions specified in Decryption Policy Advanced Options and if the server certificate is not cached. |
|
|
Enabled |
Enabled |
Probe is always sent if the server certificate is not cached. |
Use only if your access control rules have URL or application conditions |
|
Disabled |
Enabled |
Probe is always sent if the server certificate is not cached. |
Not recommended. |
|
Disabled |
Disabled |
Probe is never sent. |
Very limited usefulness; use only if not decrypting traffic and not using application or URL conditions in the access control rule |
Note | A cached TLS server's certificate is available to all Snort instances on a particular threat defense. The cache can be cleared with a CLI command and is automatically cleared when the device is rebooted. |
Reference
For more information, see the discussion of TLS server identity discovery on secure.cisco.com.