Cisco’s TLS 1.3 Problem: Cisco Bug CSCvn57284 – Unsupported EC curve x25519 on Firepower/FTD
Cisco Bug CSCvn57284 – Unsupported EC curve x25519 on FTD
I just started running into this the last couple of days. About 1/3rd of the SSL websites I try to view with SSL decryption enabled fail with a SSL Block and the error “UNSUPPORTED_EC_CURVE (0xb9001d57)” in the connection log.
Based on the x25519 curve in the bug description, it seems to be TLS 1.3 related and will probably only get worse as more sites enable TLS 1.3. This bug says the known affected releases are just 188.8.131.52, but it shows up on 6.3 code systems too.
In the meantime you can change your SSL policy default action to Block and reset instead of just block so at least the browsers don’t just hang.
Unsupported EC curve x25519 on FTD
SSL decryption fails with “UNSUPPORTED_EC_CURVE (0xb9001d57)” and the connections are timing out in the browser.
SSL debugs will show the following error : Unsupported named elliptic curve
enabling SSL policy with known key, if x25519 curve is on CH and server chooses it in the Server Key Exchange.
enabling SSL policy with known key, after the server-hello message sent, if it had ECDF that is not RFC 4492 will not work.
Contact TAC for Workaround
WHAT TAC WILL TELL YOU (hint, it won’t work!)
Tune the /etc/sf/ssl_client_hello.conf file, using:
system support ssl-client-hello-enabled ciphers true
system support ssl-client-hello-enabled curves true
system support ssl-client-hello-tuning extensions_remove 43
pmtool restartbytype DetectionEngine
After that you will need to reboot the snort engine with
* pmtool restartbytype DetectionEngine
So..do this for now:
Remove any application based rules rebuilding them using DN objects, then the FTD removes the x25519 EC from the client hello and the connection works.
URL Categories work fine as well.
Note: Microsoft is a pain to exempt. Lots of domains, and up to four level’s in the name for some of them. *.*.*.*. Microsoft.com
Yikes: I tested doing exemptions by certificate issuer, it didn’t work and it triggers the same unsupported EC error.
At least there is a work around for some of this for now.