1 Reply Latest reply on Apr 25, 2016 11:08 PM by lnurmi

    Allowing a TLS_Unrecoverable-Error in SMC

    cgeeves

      We would like to add an allow rule to the network inspection policy, for a trusted domain that is triggering a TLS_Unrecoverable-Error.  We have tried adding rules for the specific domain to no avail, even when allowing this exception for all domains, the error flagged packets are terminated.

      Currently we are using Next Generation Firewall version 5.10.2 build 14076, and SMC version 5.10.1 [10027].  I'm happy to supply any further information needed.

        • 1. Re: Allowing a TLS_Unrecoverable-Error in SMC
          lnurmi

          Hi,

           

          maybe you already opened a ticket for this since nobody was quick to answer, but... TLS_Unrecoverable-Error is generated if the TLS decryption fails and it always results in terminated connection.

           

          In 5.8 and newer this may happen if application detection is enabled in following scenario:

          if the SNI in SSL Client Hello does not trigger any TLS Match, decrypting is started i.e. the stream is modified. After that when server certificate is seen, all domains in cert are matched to get an application for the connection. Some CDNs include a huge number of domains in the certificate, if one of those triggers a TLS Match which denies decrypting the connection is terminated with TLS_Unrecoverable-Error because the stream was already modified. As decryption is no longer allowed the connection would anyway fail since the stream was already modified.

           

          To work around that you can create a new TLS Match which denies decrypting for the trusted domain.

           

          BR,
          Lauri