topic Re: Solution for "SSL decryption bypass for Anydesk" in General Topics

Solution for "SSL decryption bypass for Anydesk"

OZamir — Mon, 22 Mar 2021 08:45:06 GMT

Hello,

I am being asked a lot about why is Anydesk getting a "decrypt-error" end reason when SSL Decryption is active.

Here is a simple explanation and how to overcome this.

What you usually going to do with this kind of errors is creating a Decryption bypass rule for Anydesk (in this example)

Since is it impossible to bypass based on application, you would probably use a Custom URL category with a wildcard (*.anydesk.com), and apply it in a bypass rule. Unfortunately, this doesn't work (I'm not sure why, I think Anydesk uses IP addresses and not URLs)

The other option I came across is using an FQND (relays.net.anydesk.com) published in one of the related articles, that also didn't work for me. It was not consistent.

Then I found that Anydesk is being bypassed by default in PANOS (Device --> Certificate management --> SSL Decryption Exclusion).

Then why isn't it being bypassed?!

Well, it is because of the certificate Anydesk uses. It is using a Self-Signed certificate, and your device does not trust it (yet).

This is the reason for the decrypt-error.

Basically, what you would like to do now is:

Start a packet capture and export the CA certificate.

Then, import the certificate to your device, and mark it as a trusted CA.

Commit, and now Anydesk should work.

I am sharing here the CA certificate currently being used by Anydesk.

Copy the text below to a text file and rename it to ".crt"

Hope this is helpful.

Cheers!

Re: Solution for "SSL decryption bypass for Anydesk"

nikoolayy1 — Sun, 21 Mar 2021 22:23:00 GMT

And idea is If you want you can remove Anydesk from the "SSL Decryption Exclusion" and test decrypting it and presenting the users with the trusted certificate as a workaround (they will not see the self signed cert in this way) just check also if the SSL decryption profile allows self signed certficates.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPJfCAO

Re: Solution for "SSL decryption bypass for Anydesk"

OZamir — Mon, 22 Mar 2021 08:51:28 GMT

Due to client Certificate authentication, you cannot decrypt Anydesk.

This is Why is it added by PANW to "SSL Decryption exclusion" list.

The need to import the certificate into the NGFW is to make PANOS trust the self-signed certificate used by Anydesk server.

Re: Solution for "SSL decryption bypass for Anydesk"

nikoolayy1 — Mon, 22 Mar 2021 16:47:08 GMT

In this cas you are right that Palo Alto can't decrypt it.

Re: Solution for "SSL decryption bypass for Anydesk"

cverniani — Wed, 01 Sep 2021 07:43:30 GMT

It need even this anydesk relay certificate. After seen works.

Claudio Verniani - PAE

Re: Solution for "SSL decryption bypass for Anydesk"

hilgart — Mon, 18 Mar 2024 19:58:33 GMT

Does anyone have the updated CA certificate? This one expires April 7th this year.

Re: Solution for "SSL decryption bypass for Anydesk"

jfrost — Mon, 25 Mar 2024 15:33:48 GMT

I am in the same boat. I cannot find a replacement anywhere.

Re: Solution for "SSL decryption bypass for Anydesk"

MatwoksNetTeam — Fri, 05 Apr 2024 10:51:33 GMT

Same for me - anybody has the new certificate?

Re: Solution for "SSL decryption bypass for Anydesk"

ArtursOstapenko — Fri, 05 Apr 2024 11:19:51 GMT

Have you fixed it somehow?

We got same problem, can't get new CA certificate from sslabs.

Managed to get *.relay.net.anydesk.com certificate, but it's not working without AnyNet Root CA 2

Re: Solution for "SSL decryption bypass for Anydesk"

Tomasz_W — Mon, 08 Apr 2024 15:24:09 GMT

I was trying to download it using openssl but only managed to get Relay one 😞

Re: Solution for "SSL decryption bypass for Anydesk"

CosminM — Mon, 08 Apr 2024 19:16:13 GMT

Hello,

In the past it was working the workaround from this discussion: https://live.paloaltonetworks.com/t5/general-topics/anydesk-issue/m-p/516607#M107283

Now, when I can't have the AnyNet Root CA 2, I modified my Decryption Profile and unchecked "Block session with untrusted issuers" and I'm based only on URL's

Maybe this information will help you.

Re: Solution for "SSL decryption bypass for Anydesk"

ArtursOstapenko — Tue, 09 Apr 2024 05:53:56 GMT

In my case both options unchecked, but still not working, can yo share your Decryption policy for AnyDesk?
I'm using URL category *.net.anydesk.com and action no-decrypt.

Re: Solution for "SSL decryption bypass for Anydesk"

S.Support212931 — Tue, 09 Apr 2024 12:34:32 GMT

this has stopped working once the anynet rootCA cert expired on the 7th of april , we urgently need the updated ROOT CA cert.

please someone post it.

Re: Solution for "SSL decryption bypass for Anydesk"

MatwoksNetTeam — Tue, 09 Apr 2024 12:45:25 GMT

Welcome to the club . ( By the way anydesk started using the new certificate on 4/April/24 )
We have 2 open tickets with anydeks and 1 with PaloAlto and still nobody is helping in any way.
If someone manage to find the new certificate from the captures please share.

Re: Solution for "SSL decryption bypass for Anydesk"

CosminM — Tue, 09 Apr 2024 16:53:22 GMT

Hello @ArtursOstapenko

Please see my comments from this post: https://live.paloaltonetworks.com/t5/general-topics/anydesk-issue/td-p/198761 (on second page - it's step 3 Custom URL list)

Re: Solution for "SSL decryption bypass for Anydesk"

Tomasz_W — Tue, 09 Apr 2024 17:58:20 GMT

Hi Guys,

It works without certificate. Solution by @CosminM with a twist:

So, create URL list with those:

anynet%20relay/
anynet%20relay:80/
anynet%20relay:6568/
anynet relay:6568/
anynet relay:80/
anynet relay/

Decryption profile like that:

And Decryption rule like that:

And this is how it looks in logs:

I hope this helps 🙂

Re: Solution for "SSL decryption bypass for Anydesk"

S.Support212931 — Tue, 09 Apr 2024 18:14:06 GMT

so we have to create a service port for that decryption rule ? ( see my pic )

Re: Solution for "SSL decryption bypass for Anydesk"

CosminM — Wed, 10 Apr 2024 03:47:46 GMT

Hi @S.Support212931 ,

One of the steps it's to create a service for TCP destination port 6568. The source port it's dynamic and in your service should be empty.

Re: Solution for "SSL decryption bypass for Anydesk"

MatwoksNetTeam — Wed, 10 Apr 2024 06:20:59 GMT

I see 2 issues with this

1. This solution doesn't just allow anydesk to bypass the decryption - it basically allows everything to bypass the decryption for destination port 80 and 6568. How to you make sure only anydesk is allowed in this case ?

2. Even if we find a way to make it only for anydesk - it then bypass the decryption which is not something we want.
What is someone transfers a malicious file through anydesk during the session - How will the firewall be able to see it if decryption is off.

Re: Solution for "SSL decryption bypass for Anydesk"

ArtursOstapenko — Wed, 10 Apr 2024 06:46:52 GMT

This is reply what I've got from AnyDesk support:

AnyDesk does not use the PKI (public key infrastructure). Instead, we use our own trust chain to validate the server certificates. This gives us more control over the process and the certificate validation. For example, you can not just install a certificate as a trusted root certificate on the computer and use it to man-in-the-middle the connection.

Usually, you need to check the common name, so that someone can not use a certificate that was rightfully generated for domain a.com for another domain b.com, that he does not have access to. We do not generate certificates for other people or purposes, so in our case, it is enough to know that the certificate was signed by our CA.

This error happens because the system checking the certificate does not trust our root CA. The AnyDesk client however will.

There is no issue with the certificate being self-signed because the client generates the certificate by itself on the first start and it will only be linked to a new AnyDesk client ID on the server.