Feature Request: SSL Certificate info in flows

Follow

heath

• December 05, 2021 13:09

In the information you record about the net flows, it would very helpful to also have the certificate information for SSL/TLS flows.  

Often times the reverse lookup on the IP will resolve to something at AWS or Akamai or another CDN provider, but the certificate will reveal information about the real site/application.  I know that you already inspect the SSL certificate as part of the security, so you have the information.  Adding it to the logs would make it easier to tell what that network flow really is.

0

• 

  Firewalla

  • December 05, 2021 18:23

  Many of the domains are extracted from certificates already. Do you want the full certificate? this may cause more memory, so likely only the gold can support it. 

  0

  Comment actions Permalink
• 

  Support Team

  • December 06, 2021 02:53

  The ssl domain is already extracted and will take precedence if SSL domain is different from DNS domain.

   

  We'll add a todo item to display SSL domain in the app UI.

  0

  Comment actions Permalink
• 

  Dave Taylor

  • March 13, 2022 09:48

  Nice feature!  You could possibly also look at the SNI in the TLS handshake, which is the FQDN that the client is officially asking to connect to.

  Note that this will all stop working as TLS 1.3 with its hide-everything mania gets more widespread adoption.

  0

  Comment actions Permalink
• 

  Firewalla

  • March 13, 2022 18:33

  Firewalla already looking at SNI and also block on that.

  Yes, TLS 1.3 ESNI may cause issues, but ... I don't think it is just us, it is a philosophical issue of hiding too much vs. control

  0

  Comment actions Permalink

Please sign in to leave a comment.