Firewall rule without decryption but a TLS Handshake failure is logged in SSL/TLS inspection log

Question

I have Host A talking to Server B with 587 SMTP with STARTTLS 
 A uses only Ciphers that are not supported by B and B closes the connection after A sent the TLS Client Hello. 
 Now we have a firewall rule that has IPS enabled, nothing else: 
 
 The handshake failure between A and B on Port 587 is logged in SSL /TLS log of the firewall. I do not expect it to be logged there. The destination Server is also in local TLS Exclusion Group. 
 
 Is the Firewall trying to decrypt the traffic anyway? 
 Do we need to excluse the traffic on shell? I would not like that.

LuCar Toni · Accepted Answer

Yeah we are logging errors. TLS Rules does not mean, it is decrypting. Because the firewall and DPI engine still see "errors" in the application. This means, the app is failing for whatever reason (see above) to setup the TLS. This is at this point a "plain text communication". Therefore we can log it. 
 You can check for this error: https://www.geeksforgeeks.org/how-to-fix-the-ssl-tls-handshake-failed-error/#:~:text=If%20the%20system%20date%20and,and%20have%20an%20expiration%20date .

LHerzog · Answer

I understand. So as the communication failed while handling out encryption, the firewall could see the unencrypted "to-be-encrypted" traffic and log's it because it "can do it". 
 It's OK for me. We were just struggling around and the colleagues argued, the firewall is intercepting the communication. in the end the tcpdump showed the incompatibility in ciphers I described initially.

thanks LuCar Toni !

Firewall rule without decryption but a TLS Handshake failure is logged in SSL/TLS inspection log

Top Replies