SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15

EdwinD — Fri, 24 Apr 2015 16:17:31 GMT

I have a private subordinate CA signed using sha256. This is my forward decryption certificate. The trust anchor is also sha256.

With forward decryption enabled on my PanOS5.0.15 device, the certificates generated by the firewall are signed using sha1, even when the websites real certificate is signed using sha256.

The current changes made by Google to Chrome mean that the certificate indicator now has a warning because the sites certificate isn't using SHA256. In the future, Chrome will block access to such sites.

Does PanOS 5.0.15 have a setting that will let me resolve this issue?

References:

https://www.dropbox.com/s/8jmnp4cs84r5gnt/PaloAltoNetworksCert0.PNG?dl=0

https://www.dropbox.com/s/0tbjlk3plvz6zfu/PaloAltoNetworksCert1.PNG?dl=0

Re: SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15

prb — Tue, 28 Apr 2015 12:26:04 GMT

HI EdwinD

Not sure if you already have an answer, if not, here you go -

Unfortunately, no.

This is supported only starting 6.1 as described in release notes -

Configurable Key Size for SSL Forward Proxy Server Certificates The firewall now supports both 2048-bit RSA keys (with SHA-256 hashing) and 1024-bit RSA keys (with SHA-1 hashing) for generating the certificates it uses to establish the SSL Forward Proxy session between itself and the client. This is an extension of the 2048-bit key support that was already available with SSL decryption. In previous releases, 2048-bit keys were supported in SSL Inbound Inspection sessions as well as in SSL Forward Proxy sessions between the firewall and the destination server. As part of the extended support for 2048-bit keys, the firewall will now by default dynamically choose the key size to use to establish SSL Forward Proxy sessions with clients, based on the key size used by the destination server. You can optionally configure a static key size for SSL Forward Proxy sessions between the firewall and clients regardless of the key size used by the destination server.

You can configure the setting under,

CLI:

deviceconfig {

setting {

ssl-decrypt {

fwd-proxy-server-cert-key-size {0 | 1024 | 2048};

}

WebUI:

Device -> Setup -> Session -> Forward Proxy Server Certificate Settings

Hope this answers your query.

Thank You.

topic Re: SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15 in General Topics

SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15

Re: SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15