https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17368#M12678 <HTML><HEAD></HEAD><BODY><P>It failed on our end as well, although we decrypted the traffic.</P><P></P><P><IMG __jive_id="7725" alt="posteo.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7725_posteo.JPG" width="450" /></P><P></P><P><IMG alt="posteo-2.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7730_posteo-2.JPG" width="450" /></P><P></P><P><IMG alt="posteo-3.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7731_posteo-3.JPG" width="450" /></P></BODY></HTML> Thu, 15 Aug 2013 15:59:53 GMT kprakash 2013-08-15T15:59:53Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17363#M12673 <HTML><HEAD></HEAD><BODY><P>We are testing SSL decryption on our PA at the moment. We have found a site that could not be decrypted: <A class="active_link" href="https://posteo.de/" title="https://posteo.de/">https://posteo.de/</A></P><P>Has anyone of you an idea why the decryption fails for that site?</P><P>And how could I troubleshoot such problems? Because the normal log does not show any problem, but the browser shows an error message.</P><P></P><P>Thank you!</P></BODY></HTML> Thu, 15 Aug 2013 13:37:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17363#M12673 montgomery 2013-08-15T13:37:52Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17364#M12674 <HTML><HEAD></HEAD><BODY><P>Good Morning,</P><P><SPAN>I just checked the certificate for </SPAN><A class="jive-link-external-small" href="https://posteo.de/">https://posteo.de/</A><SPAN> and it is signed by StartCom. It also has an intermediate certificate as shown.</SPAN></P><P></P><P><IMG alt="Startcom.JPG" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7718_Startcom.JPG" /></P><P></P><P>Can you verify if Startcom is part of the Default Trusted Certificate Authorities?</P><P><IMG alt="Startcom.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7719_Startcom.JPG" width="450" /></P><P></P><P></P><P>Are you being presented with a forward Untrust Certificate? Also are we "Blocking sessions with untrusted issuers" ?</P><P><IMG alt="Startcom.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7720_Startcom.JPG" width="450" /></P><P></P><P>BR,</P><P>Karthik </P></BODY></HTML> Thu, 15 Aug 2013 14:04:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17364#M12674 kprakash 2013-08-15T14:04:50Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17365#M12675 <HTML><HEAD></HEAD><BODY><P>Hi Karthik,</P><P></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Can you verify if Startcom is part of the Default Trusted Certificate Authorities?</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">- Yes it is part of the default trusted certificate authorities</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">Are you being presented with a forward Untrust Certificate?</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">- No certificate is shown. IE just shows "This page cannot be displayed"</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">Also are we "Blocking sessions with untrusted issuers" ?</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">- No.</SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;">Thanks!<BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 12px; background-color: #ffffff; font-family: Arial, Helvetica, sans-serif;"><BR /></SPAN></P></BODY></HTML> Thu, 15 Aug 2013 14:45:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17365#M12675 hag 2013-08-15T14:45:00Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17366#M12676 <HTML><HEAD></HEAD><BODY><P>From what you have stated, it looks like we are either not seeing the entire TCP handshake completing for the SSL traffic, or there are some parameters on the Server Certificate that the PANFW doesnt like. If you set the action to No-Decrypt under the Decryption profile, does the webpage load?</P><P></P><P>Best regards,</P><P>Karthik RP</P></BODY></HTML> Thu, 15 Aug 2013 15:22:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17366#M12676 kprakash 2013-08-15T15:22:30Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17367#M12677 <HTML><HEAD></HEAD><BODY><P>Yes when we do no decrypt the page is loading as expected.</P></BODY></HTML> Thu, 15 Aug 2013 15:35:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17367#M12677 hag 2013-08-15T15:35:52Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17368#M12678 <HTML><HEAD></HEAD><BODY><P>It failed on our end as well, although we decrypted the traffic.</P><P></P><P><IMG __jive_id="7725" alt="posteo.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7725_posteo.JPG" width="450" /></P><P></P><P><IMG alt="posteo-2.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7730_posteo-2.JPG" width="450" /></P><P></P><P><IMG alt="posteo-3.JPG" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7731_posteo-3.JPG" width="450" /></P></BODY></HTML> Thu, 15 Aug 2013 15:59:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-fails/m-p/17368#M12678 kprakash 2013-08-15T15:59:53Z