Guidelines for Using TLS/SSL Decryption

General guideline

decryption rules require processing overhead that can impact performance. Determine which traffic must be decrypted and subjected to deep inspection before you set up any policies or rules.

You cannot decrypt traffic on a device that has passive or inline tap mode interfaces.

Guidelines for undecryptable traffic

We can determine that certain traffic is not decryptable either because the website itself is not decryptable or because the website uses TLS/SSL pinning, which effectively prevents users from accessing a decrypted site without errors in their browser.

For more information about certificate pinning, see About TLS/SSL Pinning.

We maintain the list of these sites as follows:

A Distinguished Name (DN) group named Cisco-Undecryptable-Sites
The pinned certificate or undecryptable application filter

If you are decrypting traffic and you do not want users to see errors in their browsers when going to these sites, we recommend you set up a Do Not Decrypt rule toward the bottom of your decryption rules.

An example of setting up a pinned certificate application filter follows.

Use the Application type pinned certificate in a Do Not Decrypt rule to prevent users from getting errors browsing to pinned sites