- All Exams Instant Download
Which CLI command is used to control special handling of ClientHello messages?
Which CLI command is used to control special handling of ClientHello messages?
A . system support ssl-client-hello-tuning
B . system support ssl-client-hello-display
C . system support ssl-client-hello-force-reset
D . system support ssl-client-hello-enabled
Answer: D
Latest 300-710 Dumps Valid Version with 153 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
No its D
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/classic_device_command_line_reference.html#id_16172
ssl-client-hello-enabled
Controls special processing of the ClientHello message during the SSL handshake.
feature
Controls all special handling of ClientHello messages.
curves
Controls stripping of elliptic curves that the Firepower System does not support:
true (enabled)—The system strips any unsupported elliptic curves from the ClientHello message, increasing the likelihood of traffic decryption. You must also enable the extensions setting.
false (disabled)—The system retains unsupported elliptic curves in the ClientHello message, decreasing the likelihood of traffic decryption.
ciphers
Controls stripping of cipher suites that the Firepower System does not support:
true (enabled)—The system strips unsupported cipher suites from ClientHello messages, increasing the likelihood of traffic decryption.
false (disabled)—The system retains unsupported cipher suites in ClientHello messages. This decreases the likelihood of traffic decryption and can result in a number of Unsupported or Unknown Cipher errors in the SSL Flow Error field of associated connection events.
extensions
Controls stripping of TLS extensions that prevent decryption:
true (enabled)—The system identifies TLS extensions that prevent decryption and strips them from the ClientHello message. This value is required if you want to enable curves, session_ticket, and alpn.
false (disabled)—The system retains all TLS extensions in the ClientHello message. This decreases the likelihood of traffic decryptions and can result in Unknown Session errors in the SSL Flow Error field of associated connection events.
session_ticket
Controls processing of the SessionTicket extension in ClientHello messages. If the system can match a SessionTicket value in an incoming ClientHello message to cached session data, it can resume the session without the client and server performing the full SSL handshake.
true (enabled)—The system strips unrecognized SessionTicket values from the ClientHello message. This increases the likelihood of traffic decryption for the resumed session. You must also enable the extensions setting.
false (disabled)—The system retains all SessionTicket values in the ClientHello message. This decreases the likelihood of traffic decryption and can result in Uncached Session errors in the SSL Flow Error field of associated connection events.
session_id
Controls processing of the Session Identifier element in ClientHello messages. If the system can match the Session Identifier in an incoming ClientHello message to cached session data, it can resume the session without the client and server performing the full SSL handshake.
true (enabled)—The system strips unrecognized Session Identifier values from the ClientHello message. This increases the likelihood of traffic decryption for the resumed session.
false (disabled)—The system retains all Session Identifier values in the ClientHello message. This decreases the likelihood of traffic decryption and can result in Uncached Session errors in the SSL Flow Error field of associated connection events.
alpn
Controls stripping of ALPN protocol values that cannot be decrypted, specifically, the SPDY and HTTP2 protocols:
true (enabled)—The system prevents the client from establishing SPDY or HTTP2 sessions, increasing the likelihood of traffic decryption and inspection. You must also enable the extensions setting.
false (disabled)—The system allows the client to establish SPDY or HTTP2 sessions with the server, decreasing the likelihood of traffic decryption and inspection.
compression
Controls stripping of TLS compression requests from ClientHello messages:
true (enabled)—The system prevents the client from establishing a TLS compressed session with the server.
false (disabled)—The system allows the client to establish a TLS compressed session with the server. This prevents traffic decryption for the session and can result in Compression Used errors in the SSL Flow Error field of associated connection events.
tls13_downgrade
Determines whether or not the FTD attempts to downgrade to TLS 1.2 a server request for a TLS 1.3 connection. FTD does not currently support TLS 1.3.
true (enabled)—The system attempts to downgrade a TLS 1.3 connection to TLS 1.2.
false (disabled)—The system does not attempt to downgrade, resulting in a failed connection.
aggressive_tls13_downgrade
Use this command only if advised to do so by Cisco TAC.
Example
> system support ssl-client-hello-enabled feature false
Ans is A.