topic Re: issue with SSL decrypt-forward proxy in General Topics

issue with SSL decrypt-forward proxy

Javith — Thu, 05 Jun 2014 08:22:01 GMT

Customer Network configured with SSL decrypt-forward proxy. Now they can't able to browse more sites (eg:birdres.com, sap.snn,etc).

They were not satisfied with exclude ssl decrypt. (due to more no.of sites in exclude list). Is there any other way?

Thanks

Re: issue with SSL decrypt-forward proxy

VinceM — Thu, 05 Jun 2014 15:20:55 GMT

Hi all,

How is configured you decryption policy ?

If you access for exemple to http://www.birdres.com, decryption should have no impact on it because it's http and not ssl.

which PA model ? wich version ?

Please read: How to Implement SSL Decryption

Hope help

Re: issue with SSL decrypt-forward proxy

HULK — Thu, 05 Jun 2014 15:39:45 GMT

Hello Javith,

Could you please verify the URL's, which is not working as expected with below mentioned list. There are few applications that do not play well when decryption is turned on, on the PA firewall.

Here is a document with a list of the applications we've already identified that should be excluded from decryption:

List of Applications Excluded from SSL Decryption

Reference doc: How to Exclude a Single URL from SSL Decryption

Thanks

Re: issue with SSL decrypt-forward proxy

Javith — Thu, 05 Jun 2014 16:35:16 GMT

Hi Hulk,

When browsing http://www.birdres.com (and 70 other sites ) they got the certification error message in browser. Customer don't want to configure exclude-list for those 70sites-not related to ur exclude rule (which will keep on increasing). If they proceed with the certification error msg then webpage loaded and displayed. then again got cert error within a second.

Re: issue with SSL decrypt-forward proxy

gwesson — Thu, 05 Jun 2014 16:52:23 GMT

This may be relevant:

SSL Decryption for Some Site Shows as Not Trusted

I checked https://www.birdres.com (rather than http://) and found that it does not use the GoDaddy intermediate CA referenced in the above article, but it's possible that the "Verisign Class 3 International Server CA - G3" intermediate CA is in the same boat as the article I provided.

Try grabbing that Verisign intermediate CA and installing it as a trusted root on the firewall that is doing the decryption.

Hope this helps,

Greg

Re: issue with SSL decrypt-forward proxy

Javith — Thu, 05 Jun 2014 17:28:49 GMT

Hi,

Can i copy the same root CA (which is in the article) and load into the firewall ?

Thanks

Re: issue with SSL decrypt-forward proxy

gwesson — Thu, 05 Jun 2014 17:52:08 GMT

The one in the article is not a root, but rather an Intermediate CA. It's for GoDaddy, and you're welcome to install it (I recommend doing so in fact). It won't help you if the Verisign cert I talked about is missing, because Verisign is not GoDaddy so you'd need to get the Verisign cert separately.

My recommendation is to try the steps in the article, and see if the number of sites you have issues with is reduced at all. If not, then the issue discussed in the article may not be what you are affected with.

Best,

Greg

Re: issue with SSL decrypt-forward proxy

Javith — Fri, 06 Jun 2014 06:18:24 GMT

Hi all,

I loaded the CA as per gwesson recommendation. But two of these sites(will keep increasing) remains with cert error.

I see the certificates of these two sites(scn.sap.com/welcome and birdres.com) - both doesn't have public audit records and not trusted.

one site with verisign and other site with geo trust cert..Anybody please suggest.

Thanks

Re: issue with SSL decrypt-forward proxy

Javith — Wed, 11 Jun 2014 10:18:28 GMT

Hi All,

Thank You for your replies.

I opened a TAC case for this issue.

TAC engineer said these two sites requiring the client side authentication. He also demonstrates it using HTTP Watch( HTTP debugger).

So this two sites also in SSL-decrypt exclude list for PAN FW.