https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24410#M17800 <HTML><HEAD></HEAD><BODY><P>Chrome uses a mechanism called Certificate Pinning for google-based sites (google, youtube, gmail, etc.). If your users don't trust the root CA used in your SSL decryption, there is no way to bypass the message you're seeing. Once you trust the CA used for your decryption, and you clear the cache of the browser, you should be able to go back to gmail and it should work.</P><P></P><P>Chrome, IE, and Safari all use the Windows certificate store. Firefox uses its own, so you'll have to repeat the steps on Firefox if you hit it there too.</P><P></P><P>Cheers,</P><P>Greg</P></BODY></HTML> Wed, 10 Jun 2015 17:15:19 GMT gwesson 2015-06-10T17:15:19Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24409#M17799 <HTML><HEAD></HEAD><BODY><P>Dears,</P><P></P><P>We tried to configure SSL Decryption in our 3020 box and for some users with no certificate applied, we have that common certificate error page.... But in our case, we have no "bypass button" ....</P><P></P><P>we created everything according PA tutorial and also we created a custom URL containing <STRONG>*.google.com</STRONG> and <STRONG>google.com</STRONG></P><P></P><P><IMG alt="ScreenShot040.jpg" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/20021_ScreenShot040.jpg" style="height: 510px; width: 620px;" /></P></BODY></HTML> Wed, 10 Jun 2015 15:47:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24409#M17799 FabioGarcia 2015-06-10T15:47:17Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24410#M17800 <HTML><HEAD></HEAD><BODY><P>Chrome uses a mechanism called Certificate Pinning for google-based sites (google, youtube, gmail, etc.). If your users don't trust the root CA used in your SSL decryption, there is no way to bypass the message you're seeing. Once you trust the CA used for your decryption, and you clear the cache of the browser, you should be able to go back to gmail and it should work.</P><P></P><P>Chrome, IE, and Safari all use the Windows certificate store. Firefox uses its own, so you'll have to repeat the steps on Firefox if you hit it there too.</P><P></P><P>Cheers,</P><P>Greg</P></BODY></HTML> Wed, 10 Jun 2015 17:15:19 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24410#M17800 gwesson 2015-06-10T17:15:19Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24411#M17801 <HTML><HEAD></HEAD><BODY><P>Hello and Thank you for the help!!</P><P>I tried everything... and just mail.google.com I have no bypass button....</P><P></P><P>cert error screen for google.com</P><P><IMG alt="ScreenShot041.jpg" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/20030_ScreenShot041.jpg" style="height: 451px; width: 620px;" /></P><P></P><P>Is there any option to bypass this <STRONG>"HTTP Strict Transport Security (HSTS)"</STRONG> ?? As far as I understood... that site force us to trust the certificate or it will not allow the access.... right ?</P><P></P><P>thanks and best regards</P></BODY></HTML> Wed, 10 Jun 2015 19:42:42 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24411#M17801 FabioGarcia 2015-06-10T19:42:42Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24412#M17802 <HTML><HEAD></HEAD><BODY><P>HSTS is a setting enforced by servers, not browsers, which forces the clients connecting to use TLS instead of plain HTTP.</P><P></P><P>You need to install the CA cert used in your firewall's decryption policy onto the clients and make it a trusted CA. That's the only way to correctly use decryption.</P><P>Here are the steps for Firefox: <A href="https://live.paloaltonetworks.com/docs/DOC-7521">After Configuring SSL Decryption Mozilla Firefox Presents Certificate Error</A></P></BODY></HTML> Wed, 10 Jun 2015 20:17:08 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24412#M17802 gwesson 2015-06-10T20:17:08Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24413#M17803 <HTML><HEAD></HEAD><BODY><P>We had a similar issue with a secure site and Firefox wouldn't offer the option to bypass on a PC while it did work on mine. We use the same version, and we're on the same subnet. Clearing the cache in Firefox on his PC is all it took for it offer the option to continue.</P><P></P><P>"for some users with no certificate applied, we have that common certificate error page..."</P><P></P><P>BTW, if you're decrypting traffic and don't have the certificate applied for some people and they get the alert, be aware that you're conditioning these users to blindly accept any untrusted connection in the future.</P><P></P><P>Also, some sites won't allow to continue if the MIM certificate is not installed, no matter what. Those sites will have to be added to an ssl bypass list.</P><P></P><P>Larry.</P></BODY></HTML> Fri, 12 Jun 2015 19:29:16 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-no-bypass-at-cert-error-screen/m-p/24413#M17803 hvcomputech 2015-06-12T19:29:16Z