https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456795#M101762 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/36075">@ShaiW</a>&nbsp;</P> <P>It seems you have figure it out by yourself.</P> <P>Strip-ALPN will basically dowgrade HTTP/2 to HTTP/1.1 and if I understand you correctly your decryption profile is configured with max version TLS 1.2. It sounds like removing the "strip ALPN" will leave HTTP/2, but it is failing because your decryption does not support TLS 1.3. </P> <P>&nbsp;</P> <P>It is better to configure your profile to use max version with "max" and set the min version to specific version</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Astardzhiev_1-1641333464832.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38517i3C7905F24A5C5BCC/image-size/medium?v=v2&amp;px=400" role="button" title="Astardzhiev_1-1641333464832.png" alt="Astardzhiev_1-1641333464832.png" /></span></P> <P>This will make sure that when new TLS version is supported by the PanOS, you don't have to update your configuration (like in this case)</P> Tue, 04 Jan 2022 21:57:53 GMT aleksandar.astardzhiev 2022-01-04T21:57:53Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456631#M101749 <P>Hi</P><P>&nbsp;</P><P>I have a customer that wrote to me yesterday that if they remove the checkbox for Strip ALPN while having SSL decryption enabled, a few web sites such as yandex.com stop working.</P><P>I was able to reproduce this with my PA-3220 and PANOS 9.1 and also on my VM with PANOS 10, the result is ERR_HTTP2_PROTOCOL_ERROR in Edge browser. There do not appear to be any decrypt-error messages and in the traffic log it appears like a normal decrypted session.</P><P>I dug through the PCAP file, can see the chosen cipher and verified that it is indeed listed as available on firewall. Also counters do not show drops.</P><P>&nbsp;</P><P>Does anyone have an idea what could cause this? Right now the customer has a decryption policy with Strip-ALPN enabled for these few sites.</P><P>&nbsp;</P><P>Thanks,</P><P>Shai</P> Tue, 04 Jan 2022 06:56:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456631#M101749 ShaiW 2022-01-04T06:56:25Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456704#M101755 <P>EDIT: This web site starts working if I change max version to TLS 1.3 (under decryption profile) and stops working when I set it at TLS 1.2. No other changes are made.</P><P>This feels like a specific web-site issue more than a firewall one.</P><P>&nbsp;</P> Tue, 04 Jan 2022 15:04:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456704#M101755 ShaiW 2022-01-04T15:04:00Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456795#M101762 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/36075">@ShaiW</a>&nbsp;</P> <P>It seems you have figure it out by yourself.</P> <P>Strip-ALPN will basically dowgrade HTTP/2 to HTTP/1.1 and if I understand you correctly your decryption profile is configured with max version TLS 1.2. It sounds like removing the "strip ALPN" will leave HTTP/2, but it is failing because your decryption does not support TLS 1.3. </P> <P>&nbsp;</P> <P>It is better to configure your profile to use max version with "max" and set the min version to specific version</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Astardzhiev_1-1641333464832.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38517i3C7905F24A5C5BCC/image-size/medium?v=v2&amp;px=400" role="button" title="Astardzhiev_1-1641333464832.png" alt="Astardzhiev_1-1641333464832.png" /></span></P> <P>This will make sure that when new TLS version is supported by the PanOS, you don't have to update your configuration (like in this case)</P> Tue, 04 Jan 2022 21:57:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456795#M101762 aleksandar.astardzhiev 2022-01-04T21:57:53Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456897#M101767 <P>Hi</P><P>&nbsp;</P><P>The customer is still on PAN-OS 9 which does not support TLS 1.3 and all other web sites work fine. Its just yandex.com that does not.</P><P>I am pretty sure it is not firewall related, more like a web-site issue.</P><P>&nbsp;</P><P>Shai</P> Wed, 05 Jan 2022 07:36:04 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/456897#M101767 ShaiW 2022-01-05T07:36:04Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/511827#M106377 <P>Hi,</P> <P>Use with caution- at 3430 pair the workaround Min=TLS1.2 and Max=Max crashed firewall. Used PanOS 10.2.1</P> <P>For the issue with&nbsp;<SPAN>ERR_HTTP2_PROTOCOL_ERROR the config change fixed it but just for a minute between commiting the change and till the FW crashed into maint mode.</SPAN></P> <P>&nbsp;</P> Mon, 15 Aug 2022 07:23:07 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-alpn-not-stripped-yandex-com-not-working/m-p/511827#M106377 Trustnet-ET 2022-08-15T07:23:07Z