Verify TLS/SSL Cipher Suites
Before you begin
This topic discusses actions you must take if you see the following error when saving a decryption rule that has cipher suite conditions:
Traffic cannot match this rule; none of your selected cipher suites contain a signature
algorithm that the resigning CA's signature algorithmThe error indicates that one or more of the cipher suites you chose for the decryption rule condition are incompatible with the certificate used in the decryption rule. To resolve the issue, you must have access to the certificate you're using.
Note | The tasks in this topic assume knowledge of how TLS/SSL encryption works. |
Procedure
Step 1 | When you attempt to save an SSL rule with either Decrypt - Resign or Decrypt - Known Key with specified cipher suites, the following error is displayed: Example: |
Step 2 | Locate the certificate you're using to decrypt traffic and, if necessary, copy the certificate to a system that can run openssl commands. |
Step 3 | Run the following command to display the signature algorithm used by the certificate: openssl x509 -in CertificateName -text -noout The first few lines of output are displayed similar to the following: |
Step 4 | The Signature algorithm tells you the following:
|
Step 5 | Search a resource such as OpenSSL at University of Utah for cipher suites that match those values. The cipher suite must be in RFC format. You can also search a variety of other sites, such as Server Side TLS at the Mozilla wiki or Appendix C of RFC 5246. Cipher Suites in TLS/SSL (Schannel SSP) in Microsoft documentation has a detailed explanation of cipher suites. |
Step 6 | If necessary, translate the OpenSSL name to an RFC name that the Firepower Management System uses. See the RFC mapping list on the on the https://testssl.sh site. |
Step 7 | The previous example, ecdsa-with-SHA256 , can be found in the Modern Compatibility List on the Mozilla wiki. |
Step 8 | Add the preceding cipher suites to your decryption rule. |