https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/457058#M101784 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78211">@Moritz</a>,</P> <P>You need to look at the supported cipher suite document that&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;linked and pass that along to the person running your web server or load balancer. The website and the firewall need to have the same ciphers enabled so that the firewall can actually proxy the traffic. There's not a magic solution to this one, you need to work with your web admin.&nbsp;</P> Wed, 05 Jan 2022 19:20:56 GMT BPry 2022-01-05T19:20:56Z https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/456755#M101759 <P>Hi,</P><P>have a decryption policies for inbound ssl decryption to a webpage. Therefor I have included the private Certificate.</P><P>At decryption monitor there is a message:</P><P>( error eq 'Unsupported cipher. Supported client cipher bitmask: 0x00000000. Supported decrypt profile cipher bitmask: 0x00000014.' )</P><P>&nbsp;</P><P>Found this link&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/troubleshoot-unsupported-cipher-suites.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/troubleshoot-unsupported-cipher-suites.html</A>&nbsp;but my bitmask is 0x00 ?</P><P>&nbsp;</P><P>How can I fix it? I chose the strict ssl control decryption profile but no help.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 04 Jan 2022 20:27:28 GMT https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/456755#M101759 Moritz 2022-01-04T20:27:28Z https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/456988#M101774 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78211">@Moritz</a> ,</P> <P>&nbsp;</P> <P>Supported cipher suites will vary depending on your PAN-OS version.&nbsp; What's your current version and how is your decryption profile configured ?</P> <P>&nbsp;</P> <P>As an example, some earlier PAN-OS versions only supported DHE or ECDHE for SSL Forward Proxy (it wasn't not supported for Inbound Inspection).&nbsp;</P> <P>&nbsp;</P> <P>You might want to do some more debugging and check on which cipher suite client/server agree upon in the SSL handshake and compare that to the compatibility matrix to see if it's actually supported:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites.html" target="_blank">https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites.html</A></P> <P>&nbsp;</P> <P>Hope it helps</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Wed, 05 Jan 2022 14:47:48 GMT https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/456988#M101774 kiwi 2022-01-05T14:47:48Z https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/457020#M101780 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;,</P><P>&nbsp;</P><P>I have a PA220 with PANOS 10.0.8.<BR />As Decryption profile I tested none, default and Strict SSL:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Moritz_0-1641402005330.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38523i01474FB2E1CFF7BF/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Moritz_0-1641402005330.png" alt="Moritz_0-1641402005330.png" /></span></P><P>&nbsp;</P><P>How can I debug this. Trace a request and look into the SSL header? Have not done anything like this before. No experience with it.</P><P>&nbsp;</P> Wed, 05 Jan 2022 17:02:28 GMT https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/457020#M101780 Moritz 2022-01-05T17:02:28Z https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/457058#M101784 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78211">@Moritz</a>,</P> <P>You need to look at the supported cipher suite document that&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;linked and pass that along to the person running your web server or load balancer. The website and the firewall need to have the same ciphers enabled so that the firewall can actually proxy the traffic. There's not a magic solution to this one, you need to work with your web admin.&nbsp;</P> Wed, 05 Jan 2022 19:20:56 GMT https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/457058#M101784 BPry 2022-01-05T19:20:56Z https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/457211#M101798 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78211">@Moritz</a> ,</P> <P>&nbsp;</P> <P>What <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a> said <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> !</P> <P>&nbsp;</P> <P>My guess is that the web server offers a cipher suite that the PA doesn't support.&nbsp; If you can run a PCAP you should be able to capture the SSL handshake and get information on the cipher suite being used.</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 06 Jan 2022 09:30:23 GMT https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/457211#M101798 kiwi 2022-01-06T09:30:23Z https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/596458#M118653 <P><SPAN>( error eq 'Unsupported cipher. Supported client cipher bitmask: 0x00000000. Supported decrypt profile cipher bitmask: 0x00000014.' )</SPAN><BR /><SPAN><BR />According to the reference article linked below, the cipher bitmask: 0x00000000 means that the firewall doesn't support the cipher.<BR /><BR /></SPAN>Reference:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/decryption-log-errors-and-error-indexes" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/decryption-log-errors-and-error-indexes</A><BR /><BR /><BR /></P> Sat, 31 Aug 2024 03:57:43 GMT https://live.paloaltonetworks.com/t5/general-topics/unsupported-cipher-supported-client-cipher-bitmask-0x00000000/m-p/596458#M118653 William-Wu 2024-08-31T03:57:43Z