topic Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2 in General Topics

SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

licenselu — Thu, 19 Jul 2012 09:40:49 GMT

Hello,

I'm running a cluster of PA (4.0.8) with SSL Decryption configured.

SSL Decryption is not able to decrypt SSL traffic if the HTTPS session is using TLS 1.1 or TLS 1.2.

Test with www.gmail.com

Chrome : OK (see gmail application in the traffic log)

Firefox : idem

IE 8 or 9 with TLS 1.1 or TLS 1.2 DISABLED : idem

IE 8 or 9 with TLS 1.1 or TLS 1.2 ENABLED : see only SSL application

Is it solved in 4.1.6 (I plan to upgrade my cluster with this release) ??

Regards,

Hedi

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

mikand — Thu, 19 Jul 2012 11:31:24 GMT

Could this be your case ?

According to this PA supports TLSv1. But I think there were discussions in some thread regarding TLS 1.2 or if it was TLS 1.3 which currently wasnt supported and you to contact your sales engineer to file a request.

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

licenselu — Thu, 19 Jul 2012 15:41:40 GMT

Hello,

First, thanks for your answer.

The document only mention SSL2.0, 3.0 and TLS 1.0. No infos about TLS 1.1 or TLS 1.2...

In my case, we don't have any problem with the certificate itself because the SSL interception is not doing it's job...

I will upgrade 4.1.6 and keep you inform if it's solved or not...

Regards,

Hedi

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

licenselu — Fri, 20 Jul 2012 12:15:54 GMT

Hello all,

After upgrading to 4.1.6, I can confirm PA is NOT ABLE to decrypt TLS 1.1 or TLS1.2.

I'm waiting an OFFICIAL answer from PA now : When will it be supported ???

Regards,

Hedi

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

ExclusiveNetworksGermany — Mon, 23 Jul 2012 14:45:09 GMT

Hi,

as far as i know later Versions of TLS are currently not supported.

This Information was from PanOS 4.0.x

but since i didn't see anything in the Release Notes of 4.1.x it should be still correct.

Regards

Marco

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

essnet — Tue, 07 Aug 2012 09:04:20 GMT

Hello,

I totally second your claims. In addition TLS 1.0 is partially finished : it lacks TLS Extensions, which make for example https://www.gmail.com to fail decryption.

Regards

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

essnet — Wed, 22 Aug 2012 08:17:08 GMT

According to Chrome dev team, newest version has TLS 1.1 disabled because of issues with IIS : Chrome Releases: Stable Channel Update

Thank you Microsoft, you're saving us for once :smileysilly:

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

licenselu — Wed, 22 Aug 2012 08:59:32 GMT

Hello,

This is answer is receiver from my local SE.

"TLS v1.1 should be supported as of v4.0.x.
I found a note that if diffie hellman is used in the key establishment we can’t decrypt."

"v1.2 seems to be targeted for the next major release (5.x)."

Regards,

Hedi

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

essnet — Wed, 22 Aug 2012 09:04:01 GMT

Hello,

I have been in relation for months with product and support managers, it was said many times that 1.1 is not supported and 1.0 is partially (lack of critical extensions).

Strange we don't have same informations :smileygrin:

Anyway, I am always running my own tests and found out that above SSLv2, compatibility is poor.

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

ttongfly — Mon, 26 Nov 2012 02:23:31 GMT

Hello,

Would TLS 1.1 and 1.2 be decrypted by PANOS 5.0 for now?

TLS 1.1 with differ hellman could no be decrypted on PANOS 5.0 also?

Thanks.

Regards.

Roh

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

essnet — Wed, 28 Nov 2012 17:12:54 GMT

Hello,

5.0 doesn't bring better TLS support but it's bringing more control about actions when decryption fails or certificates is not trusted.

Decryption is no go for me until 5.1 (if they put it in 5.1)

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

Georges — Tue, 08 Jan 2013 20:22:39 GMT

Any update from PAN?

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

edmondsadmin — Thu, 18 Apr 2013 16:56:33 GMT

I'm running PAN 5.0.2. Still not working.

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

mwalter — Tue, 30 Jul 2013 21:22:26 GMT

Hello,

we currently do not support decryption of TLS1.2. TLS 1.2 hasn't be broadly supported by browsers until more or less practical TLS 1.0 and block cipher related attacks where demonstrated by cryptographers as proof of concept code. We do see a slow increase of TLS 1.2 support in major browsers lately. Especially Google Chrome and Apple Safari support in their standard configuration now. Since PANOS 5.0, if we detect a TLS1.1 or TLS1.2 session, we first try to downgrade it to TLS1.0 and decrypt. If that fails, we won't decrypt the session and either drop the session or allow it encrypted based upon your policy settings.

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

mikand — Thu, 01 Aug 2013 19:38:54 GMT

Why not implement support for TLS 1.1 and 1.2?

I really dont get it...

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

Retired Member — Thu, 07 Nov 2013 02:26:11 GMT

For now, TLS 1.1 and 1.2 Support in SSL decryption? Anybody knows about that?

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

licenselu — Thu, 07 Nov 2013 08:07:56 GMT

Hello,

According to my local SE, TLS 1.2 decryption should be supported in release train 6.x...

Regards,

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

mikand — Sun, 01 Dec 2013 17:02:23 GMT

Would this be valid for the whole range from PA-200 to PA-5000 or just specific models?

Like will PA-2000 and PA-4000 be exluded?

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

kdd — Tue, 04 Feb 2014 10:07:16 GMT

Hello, some news about tls 1.2 which belong to PAN-OS 6.0 previous releases of PAN-OS only supported TLS version 1.1. This release provides the Palo Alto Networks firewall with the ability to decrypt inbound sessions and forward proxy sessions that negotiate with TLS 1.2. With this release TLS 1.2 is enabled by default and cannot be disabled. This implementation includes the following details:  TLS 1.2 is supported as defined by RFC 5246.  The following additional cipher suites are supported: TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_256_CBC_SHA256.  Newer unsupported versions of TLS (1.3+) will be downgraded to 1.2 when used with the PAN-OS. without any limitation for specific models

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

ggoudr — Wed, 03 Jun 2015 14:36:22 GMT

Unfortunately I have tested SSL Decryption with Site that supports TLS1.2 and PANOS 6.0.10 with the latest version of firefox (v38.0.5) and I get "Secure Connection Failed" because firefox 38 does not failback from TLS version 1.2 to TLS version 1.1 as mentioned in the following https://support.mozilla.org/en-US/kb/tls-error-reports

since TLS1.1 is considered insecure TLS version by mozilla foundation

It seems that the problem appears only if the Cipher suite of the site is TLS_RSA_WITH_AES_256_CBC_SHA256 and SSL Decryption with TLS1.2. This does not apply for Cipher Suite TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS1.2/