Cisco’s TLS 1.3 Problem: Cisco Bug CSCvn57284 – Unsupported EC curve x25519 on Firepower/FTD

Cisco Bug CSCvn57284 – Unsupported EC curve x25519 on FTD 

I just started running into this the last couple of days. About 1/3rd of the SSL websites I try to view with SSL decryption enabled fail with a SSL Block and the error “UNSUPPORTED_EC_CURVE (0xb9001d57)” in the connection log.

Based on the x25519 curve in the bug description, it seems to be TLS 1.3 related and will probably only get worse as more sites enable TLS 1.3. This bug says the known affected releases are just 6.2.3.9, but it shows up on 6.3 code systems too.

In the meantime you can change your SSL policy default action to Block and reset instead of just block so at least the browsers don’t just hang.

Unsupported EC curve x25519 on FTD

CSCvn57284

Description

Symptom:
SSL decryption fails with “UNSUPPORTED_EC_CURVE (0xb9001d57)” and the connections are timing out in the browser.

or

SSL debugs will show the following error : Unsupported named elliptic curve

Conditions:
enabling SSL policy with known key, if x25519 curve is on CH and server chooses it in the Server Key Exchange.

or

enabling SSL policy with known key, after the server-hello message sent, if it had ECDF that is not RFC 4492 will not work.

Workaround:
Contact TAC for Workaround

WHAT TAC WILL TELL YOU (hint, it won’t work!)

Tune the /etc/sf/ssl_client_hello.conf file, using:

system support ssl-client-hello-enabled ciphers true

system support ssl-client-hello-enabled curves true

system support ssl-client-hello-tuning extensions_remove 43

pmtool restartbytype DetectionEngine

After that you will need to reboot the snort engine with

  *   pmtool restartbytype DetectionEngine

So..do this for now:

Remove any application based rules rebuilding them using DN objects, then the FTD removes the x25519 EC from the client hello and the connection works.

URL Categories work fine as well.

Note: Microsoft is a pain to exempt. Lots of domains, and up to four level’s in the name for some of them. *.*.*.*. Microsoft.com

Yikes: I tested doing exemptions by certificate issuer, it didn’t work and it triggers the same unsupported EC error.

At least there is a work around for some of this for now.

 

2 Comments

  1. Have had success with the below:
    1. ssh into your sensor running ftd code (sfr module)
    2. go into expert mode
    3. > vi /etc/sf/ssl_tuning.conf
    4. type ‘i’ to edit
    5. add the following line after the lines of text
    a. knownkey_modification=true
    6. hit ctrl c
    a. type :wq
    7. restart snort

Comments are closed.