cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Any plans for updated SSLCipherSuite support for decryption??

Given the recent influx of vulnerabilities to cipher suites and SSL3-TLS1.1 in the past several years, the limited list of supported ciphers that NSM can handle is now absurd. We're running two NS-9300's and would like to be able to put a dozen or so websites behind the SSL decryption capacity that the sensors advertise. At this point though, that feature should have the largest asterisk in the world attached.

The product supports none of the ciphers mandated by federal (or any SSL good practices site's) recommendation, so it's decryption ability is effectively useless.

What NEEDS to be supported are the TLS_ECDHE_ECDSA_* list of ciphers as that is the baseline config going forward.

To not support these and claim SSL decrypt capability going forward borders on false advertising.

6 Replies
d_aloy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Any plans for updated SSLCipherSuite support for decryption??

Hi tmeader

Yes, there are plans to support perfect forward secrecy encryption in the near future. You would need to check with your Sales Representative for them to get confirmation from PM, but I believe this should be available on 8.4 or 9.0, so later on this year.

The difference between the current decryption feature and PFS is that as you know, PFS uses a randomly generated secret key per TLS conversation, whereas older encryption would use the server's secret key.

Because PFS uses randomly generated keys, the only way to inspect the traffic is to act as a TLS proxy.

Currently the sensor uses the server's private key to decrypt the matching conversation on the fly, without terminating the TLS connection, so it is completely invisible to the client or server.

Once the new version with the TLS proxy capabilities is out, you will import your keys to the sensors, who will then terminate the incoming PFS conversations, scan the clear traffic, and re-encrypt the traffic to your servers.

And best of all, this will not only allow you to scan the incoming PFS conversations, but because the sensor will be proxying the TLS conversations, it will also support outbound TLS scanning - which is great, because as we know malware usually uses TLS for outbound communications.

I am aware that McAfee had this on they roadmap a while ago, so as previously said, best option is to contact your Sales Rep to get the ETA for this feature.

HTH.

Regards

David

ciaranr
Level 9
Report Inappropriate Content
Message 3 of 7

Re: Any plans for updated SSLCipherSuite support for decryption??

Hi guys,

just to follow up on David's post, I have a meeting with NSP product manager in 2.5 hours to discuss NSP roadmap for v9.1.

What I've been told so far is that v8.4 is a "cloud version" and we are going to v9.1 next; This will be "an everyone release" - not specifically a FIPS release according to our SAM.

I'll ask about SSL Decrypt &  PFS during this call.

If you have any questions you would like me to ask or any features you would like to know about, reply to this post, I will ask them and post back here on the responses I get.

ciaranr
Level 9
Report Inappropriate Content
Message 4 of 7

Re: Any plans for updated SSLCipherSuite support for decryption??

Hi ​,

I followed up on this question during our session with the product manager yesterday. The SSL decryption feature is being looked at for improvements by year end, in particular the incorporation of ECDHE.

We were informed of improvements to be included in 9.1 - expected by month-end. This will be their longer-term stable release.

Currently the road-map spoken about suggests the inclusion of ECDHE in the following feature release - 9.2, tentatively scheduled for December.

He has suggested that I provide a list of the ciphers you are concerned about and he will confirm which are expected to be included. If you would reply to this with specifics, I will forward same on to him.

I neglected to ask about PFS as David had mentioned above, I will include this in my follow-up mail also.

--CR

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Any plans for updated SSLCipherSuite support for decryption??

Sorry for the delayed follow-up. The specific ciphers that we require (and I'm assuming virtually everyone going forward) are (in order):

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA

Thanks.

ciaranr
Level 9
Report Inappropriate Content
Message 6 of 7

Re: Any plans for updated SSLCipherSuite support for decryption??

Hi ​,

I've sent a mail to our SAM & the PM for NSP. I'll let you know here what I get back.

--CR

ciaranr
Level 9
Report Inappropriate Content
Message 7 of 7

Re: Any plans for updated SSLCipherSuite support for decryption??

Hi ​,

I've just received word back from the Product Manager about cipher suites for SSL Decryption in upcoming versions of NSP, see below.

We have deferred outbound SSL functionality release for a couple of months, but when released it will support the following ciphers:

AES128-SHA

AES256-SHA

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA

AES128-SHA

AES256-SHA

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA

AES128-GCM-SHA256

AES128-SHA256

AES128-SHA

AES256-GCM-SHA384

AES256-SHA256

AES256-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

There has not been any change in Inbound SSL processing as of now. We expect to support these same ciphers in inbound SSL by the end of this year.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community