topic Re: SSL Inspection and SSL Labs in General Topics

SSL Inspection and SSL Labs

Claw4609 — Tue, 06 Jun 2023 15:36:01 GMT

Outside of minimum and maximum supported tls versions and ciphers what are some things to look for on SSL Labs that would be breaking decryption. In the Palo decryption logs if it shows error "Early close notify" what would be something to look for as the root cause?

Re: SSL Inspection and SSL Labs

Raido_Rattameister — Tue, 06 Jun 2023 16:12:47 GMT

Are you having issues with ssl decryption if users access the site?

SSL Labs by design will try different cipher settings and tests site security posture so seeing logs about failed connections in firewall logs is expected when those tests are performed.

Re: SSL Inspection and SSL Labs

Claw4609 — Tue, 06 Jun 2023 16:42:33 GMT

Yeah site is breaking for users when ssl inspection is applied, I can bypass that url from decryption and it works fine then. Saw the decryption logs showed "early close notify" then ran an SSL Labs check after the fact to see if anything stuck out.

Re: SSL Inspection and SSL Labs

Raido_Rattameister — Tue, 06 Jun 2023 17:32:38 GMT

Is this related to decrypting user traffic to website hosted somewhere in internet or you host web server and trying to set up ssl decryption for traffic from internet towards your web server?

Re: SSL Inspection and SSL Labs

Claw4609 — Tue, 06 Jun 2023 18:01:31 GMT

Forward proxy for internet traffic. Just curious what "early close notify" indicates or if there is anything to look for on the SSL Labs report that would indicate why its breaking.

Re: SSL Inspection and SSL Labs

TomYoung — Tue, 06 Jun 2023 20:04:48 GMT

Hi @Claw4609 ,

I agree with you. It would be nice if PANW had an index of decryption errors. I found this -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/decryption-log-errors-and-error-indexes but an index of every error and cause would be nice.

Thanks,

Tom

Re: SSL Inspection and SSL Labs

Chris_S — Fri, 09 Jun 2023 21:50:10 GMT

Claw4609, I have recently just started to see a ton of early close notify Protocol errors on our PA's for and it seems to have just started. Some of the sites are well known sites with a fully trusted chains such as youtube.com and connectivitycheck.gstatic.com.
Is that what you are seeing?

Re: SSL Inspection and SSL Labs

Claw4609 — Sat, 10 Jun 2023 22:11:36 GMT

Not necessarily on those sites specifically but we are seeing it on some notable sites.