topic [RFC5746] issue with ssl decryption: openssl3.0 unsafe legacy renegotiation disabled in GlobalProtect Discussions

[RFC5746] issue with ssl decryption: openssl3.0 unsafe legacy renegotiation disabled

VincentCollier — Sun, 07 Aug 2022 23:22:25 GMT

Since I upgraded to the lastest fedora, all of my python/ansible script failed when they are decrypted by our palo alto ssl outbound policy.

After some diging, fedora 35 was using openssl 1.1.1 and fedora 36 switched to openssl 3.0: https://fedoraproject.org/wiki/Changes/OpenSSL3.0

On the openssl 3.0 changelog, we can find this:

OPENSSL changelog between 1.1.1 and 3.0.0 [7 sep 2021] contains:

* Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed.

I found a post on a stackoverflow that explain how to reenable unsecure renegociation to have a quick fix. This won't be a good solution when all our devs will be using linux and dockers with openssl 3.0 installed.

Is there a way to configure ssl decryption on the palo alto to enable secure renegociation ?

Re: [RFC5746] issue with ssl decryption: openssl3.0 unsafe legacy renegotiation disabled

JC_PANW — Mon, 17 Jul 2023 02:25:16 GMT

This will be supported natively in the following versions:

11.0.2 - ETA July 2023

10.2.5 - ETA August 2023

10.1.11 - ETA - September 2023

9.1.17 - ETA October 2023

Re: [RFC5746] issue with ssl decryption: openssl3.0 unsafe legacy renegotiation disabled

Will_Embrey — Wed, 25 Oct 2023 11:31:27 GMT

Looks like it's there now:

10.2.5 and 10.1.10

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-5-known-and-addressed-issues/pan-os-10-2-5-addressed-issues

PAN-184630	Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).