About TLS/SSL Pinning
Some applications use a technique referred to as TLS/SSL pinning or certificate pinning, which embeds the fingerprint of the original server certificate in the application itself. As a result, if you configured a TLS/SSL rule with a Decrypt - Resign action, when the application receives a resigned certificate from a managed device, validation fails and the connection is aborted.
To confirm that TLS/SSL pinning is occurring, attempt to log in to a mobile application like Facebook. If a network connection error is displayed, log in using a web browser. (For example, you cannot log in to a Facebook mobile application but can log in to Facebook using Safari or Chrome.) You can use Firepower Management Center connection events as further proof of TLS/SSL pinning
Note |
TLS/SSL pinning is not limited to mobile applications. |
Troubleshoot TLS/SSL Pinning
You can view connection events to determine whether or not the devices are experiencing SSL pinning. You must add at least the SSL Flow Flags and SSL Flow Messages columns to the table view of connection events.
Before you begin
-
Enable logging for your TLS/SSL rules as discussed in Logging Decryptable Connections with SSL Rules.
-
Log in to a mobile application like Facebook; if a network connection error displays, log in to Facebook using Chrome or Safari. If you can log in using a web browser but not the native application, SSL pinning is likely occurring.
Procedure
Step 1 |
If you haven't done so already, log in to the Firepower Management Center. |
Step 2 |
Click . |
Step 3 |
Click Table View of Connection Events. |
Step 4 |
Click x on any column in the connection events table to add additional columns for at least SSL Flow Flags and SSL Flow Messages. The following example shows adding the SSL Actual Action, SSL Flow Error, SSL Flow Flags, SSL Flow Messages, SSL Policy, and SSL Rule columns to the table of connection events. The columns are added in the order discussed in Connection and Security Intelligence Event Fields. |
Step 5 |
Click Apply. |
Step 6 |
The following paragraphs discuss how you can identify SSL pinning behavior. |
Step 7 |
If you determine that applications in your network use SSL pinning, see TLS/SSL Rule Guidelines and Limitations. |
What to do next
You can use TLS/SSL connection events to confirm TLS/SSL pinning is occurring by looking for any of the following:
-
Applications that send an SSL ALERT Message as soon as the client receives the SERVER_HELLO, SERVER_CERTIFICATE, SERVER_HELLO_DONE message from the server, followed by a TCP Reset, exhibit the following symptoms. (The alert, Unknown CA (48), can be viewed using a packet capture.)
-
The SSL Flow Flags column displays ALERT_SEEN but not APP_DATA_C2S or APP_DATA_S2C.
-
The SSL Flow Messages column typically displays: CLIENT_HELLO, SERVER_HELLO, SERVER_CERTIFICATE, SERVER_KEY_EXCHANGE, SERVER_HELLO_DONE.
-
Success is displayed in the SSL Flow Error column.
-
-
Applications that send no alerts but instead send TCP Reset after the SSL handshake is finished exhibit the following symptoms:
-
The SSL Flow Flags column does not display ALERT_SEEN, APP_DATA_C2S, or APP_DATA_S2C.
-
The SSL Flow Messages column typically displays: CLIENT_HELLO, SERVER_HELLO, SERVER_CERTIFICATE, SERVER_KEY_EXCHANGE, SERVER_HELLO_DONE, CLIENT_KEY_EXCHANGE, CLIENT_CHANGE_CIPHER_SPEC, CLIENT_FINISHED,SERVER_CHANGE_CIPHER_SPEC, SERVER_FINISHED.
-
Success is displayed in the SSL Flow Error column.
-
Troubleshoot Unknown or Bad Certificates or Certificate Authorities
You can view connection events to determine whether or not the devices are experiencing unknown certificate authorities, bad certificates, or unknown certificates. This procedure can also be used if a TLS/SSL certificate has been pinned. You must add at least the SSL Flow Flags and SSL Flow Messages columns to the table view of connection events.
Before you begin
-
Set up a TLS/SSL decryption rule.
-
Enable logging for your TLS/SSL rules as discussed in Logging Decryptable Connections with SSL Rules.
Procedure
Step 1 |
If you haven't done so already, log in to the Firepower Management Center. |
||||||||
Step 2 |
Click . |
||||||||
Step 3 |
Click Table View of Connection Events. |
||||||||
Step 4 |
Click x on any column in the connection events table to add additional columns for at least SSL Flow Flags and SSL Flow Messages. The following example shows adding the SSL Actual Action, SSL Flow Error, SSL Flow Flags, SSL Flow Messages, SSL Policy, and SSL Rule columns to the table of connection events. The columns are added in the order discussed in Connection and Security Intelligence Event Fields. |
||||||||
Step 5 |
Click Apply. |
||||||||
Step 6 |
The following table discusses how you can determine if a certificate or certificate authority is bad or missing.
|