- Auto Traffic Analysis and Protocol Generation
- Classifying Network Traffic Using NBAR
- Enabling Protocol Discovery
- Configuring NBAR Using the MQC
- DSCP-Based Layer 3 Custom Applications
- MQC Based on Transport Hierarchy
- NBAR Categorization and Attributes
- Reporting Extracted Fields Through Flexible NetFlow
- NBAR Protocol Pack
- NBAR Protocol Pack Auto Update
- NBAR2 Custom Protocol
- NBAR2 Protocol Pack Hitless Upgrade
- NBAR Web-based Custom Protocols
- NBAR2 HTTP-Based Visibility Dashboard
- NBAR Coarse-Grain Classification
- SSL Custom Application
- Fine-Grain NBAR for Selective Applications
- NBAR Custom Applications Based on DNS Name
- NBAR Customized Assistance Based on SSL or HTTP
SSL Custom
Application
SSL Custom Application feature enables users to customize applications that run on any protocol over Secure Socket Layer (SSL), including HTTP over Secure Socket Layer (HTTPS), using the server name, if it exists in the Client Hello extensions, or the common name from the certificate that the server sends to the client.
- Finding Feature Information
- Information About SSL Custom Application
- How to Configure SSL Custom Application
- Configuration Examples for the SSL Custom Application
- Additional References for SSL Custom Application
- Feature Information for SSL Custom Application
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About SSL Custom Application
Overview of SSL Custom Application
SSL Custom Application feature enables users to customize applications that run on any protocol over Secure Socket Layer (SSL), including HTTP over Secure Socket Layer (HTTPS), using the server name, if it exists in the Client Hello extensions, or the common name from the certificate that the server sends to the client.
HTTP over Secure Socket Layer (HTTPS) is a communication protocol for secure communication. HTTPS is the result of layering HTTP on SSL protocol.
In SSL sub-classification, the rule that ends later in the packet will match. For example, consider the server name ‘finance.example.com’, if there is a rule for ‘finance’ and another rule for example.com, then the rule for ‘example.com’ will match.
SSL Unique Name Sub-Classification
The SSL unique-name parameter is used to match SSL sessions of servers that are not known globally, or are not yet supported by NBAR. The unique-name matches the server name indication (SNI) field in the client request, if the SNI field exists, or it matches the common name (CN) field in the first certificate of the server's response.
The feature also supports cases of SSL sessions that use session-id than the SSL sessions that use handshake.
The server name is available as part of a HTTPS URL itself. For example, in the URL https://www.facebook.com, the server name is www.facebook.com. However, the certificate is found in the browser. The user can observe the certificate information by clicking on the HTTPS icon.
The following two figures display the location of the server name and common name as it is visible to the user using Wireshark tool.
The figure below highlights the location of the SNI field:
The figure below highlights the location of the CN field:
How to Configure SSL Custom Application
Configuring SSL Custom Application
1.
enable
2.
configure
terminal
3.
ip nbar
custom
custom-protocol-name
ssl
unique-name
regex
id
selector-id
4.
end
DETAILED STEPS
Configuration Examples for the SSL Custom Application
Example: SSL Custom Applications
The following example displays how to configure SSL Custom Application. The hostname that is configured in this command is found either in the Server Name Indication (SNI) field in the Client Hello extensions or in the Common Name (CN) field in the digital certificate that the server sends to the client.
Device> enable Device# configuration terminal Device(config)# ip nbar custom name ssl unique-name www.example.com id 11 Device(config)# exit
Additional References for SSL Custom Application
Related Documents for SSL Custom Application
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
SSL Sub-classification |
NBAR Protocol Pack module |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for SSL Custom Application
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
SSL Custom Application |
Cisco IOS XE Release 3.15S |
SSL Custom Application feature enables users to customize applications that run on any protocol over Secure Socket Layer (SSL), including HTTP over Secure Socket Layer (HTTPS), using the server name, if it exists in the Client Hello extensions, or the common name from the certificate that the server sends to the client. The following command was introduced or modified: ip nbar custom. |
Feedback