Imperva Cyber Community

Expand all | Collapse all

How can I tell if the Encryption Support is working properly (decrypts and inspects)?

  • 1.  How can I tell if the Encryption Support is working properly (decrypts and inspects)?

    Posted 11-27-2019 08:20

    I just came across that my server's Public and Private SSL keys uploaded previously to SecureSphere are all expired, and am going to upload the new ones. But how can I tell if the Encryption Support is working properly (decrypts and inspects) after uploading? This is of concern to me as the WAF keeps "working" with expired keys, then what is the difference with the new effective keys to be uploaded? Thanks.


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    analyst
    ------------------------------


  • 2.  RE: How can I tell if the Encryption Support is working properly (decrypts and inspects)?

    Imperva Employee
    Posted 11-27-2019 11:47
    For WAF we are referring to either reverse proxy or bridge mode and both need to be addressed within the context of your question.

    In bridge mode the traffic will pass through the GW with no impact due to expired keys 
    What may be impacted is inspection
    If the key pair used in the expired cert is still valid then decryption will occur 
    If there have been changes to how the  cert is generated which impact the key pair then decryption is not possible 
    You would see alerts in the MX UI indicating decryption failed due to the cert used

    If you are in RP then the end customer will see a warning that the certificate used for this connection has expired.
    Typically this is not a desirable situation and will typically generate customer calls/complaints 
    The rules around decrypt are the same as above. If the keys still work then we can decrypt.

    ------------------------------
    Phil Klassen
    ------------------------------



  • 3.  RE: How can I tell if the Encryption Support is working properly (decrypts and inspects)?

    Posted 11-27-2019 23:34
    Thanks for replying Phil,

    We are in bridge mode, and have updated the certs and keys (including those of two public web servers). However we are still receiving the following alerts from the public web servers in the Main > Monitor > Dashboard.

    Alert 761258: Untraceable SSL Sessions: Unsupported Cipher
    Alert 761287: Untraceable SSL Sessions: Unknown SSL Session

    Could this mean the decryption is still failing?

    ------------------------------
    kelvin chan
    ------------------------------



  • 4.  RE: How can I tell if the Encryption Support is working properly (decrypts and inspects)?

    Posted 12-04-2019 11:20


  • 5.  RE: How can I tell if the Encryption Support is working properly (decrypts and inspects)?

    Imperva Employee
    Posted 12-30-2019 11:09
    Hi Kelvin,

    A quick test would be to append a "/c m d.exe" to any URL. (please remove the spaces between c m d when appending) If the block page is returned then SSL decryption is working. 

    In addition, review the logs for messages regarding Untraceable SSL sessions. 

    If Untraceable SSL sessions are still present after updating the certificates it's likely an incompatible cipher is being negotiated between the client and the server. 

    Please review the official documentation for a list of Imperva WAF supported ciphers. Below is a quick link to v12.5

    https://docs.imperva.com/bundle/v12.5-web-application-firewall-user-guide/page/534.htm

    If DHE (diffie-hellman) ciphers are in use then Transparent Reverse Proxy (TRP) will need to be configured.

    ------------------------------
    Jaired Anderson
    Senior Professional Services Consultant
    Imperva
    Tulsa OK
    ------------------------------