topic Re: SSL Inbound decryption and nginx webserver in General Topics

SSL Inbound decryption and nginx webserver

ctovazzi — Sat, 25 Apr 2015 13:11:01 GMT

Hello,

I try to configure nginx 1.6.2 (on linux ubuntu server 14.04 LTS) with fully support SSL Inbound decryption.

We're running PAN-OS 6.0.9.

Based on the document Inbound SSL Decryption Not Working Due to Unsupported Cipher Suites, I configure this on my nginx.conf:

ssl_ciphers "AES256-SHA256:AES128-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES256-SHA:AES128-SHA";

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

But, PAN-OS not decrypt traffic.

Can you help me ?

Tnx

Carlo

Re: SSL Inbound decryption and nginx webserver

prb — Tue, 28 Apr 2015 13:03:04 GMT

Hi ctovazzi,

Can you let a pcap run on the client machine, locate the cipher suite chosen from the server hello packet and paste it here?

Say for example -

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

And also output of command,

>show counter global | match proxy

Thank You.

Re: SSL Inbound decryption and nginx webserver

ctovazzi — Tue, 28 Apr 2015 16:14:52 GMT

Hi prb,

I run pcap on the client machine.

On pcap, I find this (from my client to server):

HandShake protocol: Client Hello

Version: TLS 1.2

Cipher Suites (21 suites):

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)

Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)

Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)

Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)

Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

and this (from server to client after Client Hello Hadshake protocol)

TLSv1.2 Record Layer: Handshake Protocol: Server Hello

Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

Carlo

Re: SSL Inbound decryption and nginx webserver

James_Costello — Wed, 29 Apr 2015 13:04:02 GMT

Just to verify

The traffic is going from one zone to another or alternatively between two different interfaces of the same zone on the firewall

There is a security policy in place to allow the traffic to flow

The certificate and private key for the nginx set have been installed on the PA

There is a decryption policy set for SSL Inbound Inspection

Is the client connecting to the server IP or the NAT address for the server?

If you could provide more detail about your configuration, that would help to troubleshoot

Re: SSL Inbound decryption and nginx webserver

prb — Wed, 29 Apr 2015 19:08:12 GMT

Hi ctovazzi,

From the logs, issue is not with unsupported cipher suite.

You should verify configuration as requested by costello.

If everything is fine, you can check counters to narrow down further.

>show counter global | match proxy