https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24895#M18168 <HTML><HEAD></HEAD><BODY><P>Hello HULK,</P><P>Thanks for giving information <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />. It's a strongly needed information.</P><P>But I have question remaining is how do I bypass the unsupported SSL traffic such as a SSL with using unsupported cipher-suite.</P><P></P><P>Should I not assign the SSL decryption profile that makes bypass the unsupported SSL traffic? or how?</P><P>I tried to find that URL for SSL handshaking but could not find. I believe that Ciper Suite : TLS_RSA_WITH_AES_256_CBC_SHA makes hiding URL for SSL handshaking, right? I am not sure.</P><P></P><P>If I found that URL for SSL handshaking and recognizing URLs of SSL by PAN, I could make a no-decrypt rule but now I cannot do.</P><P></P><P>Thanks.</P><P>Regards,</P><P>Roh</P></BODY></HTML> Tue, 04 Feb 2014 02:16:57 GMT Retired Member 2014-02-04T02:16:57Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24891#M18164 <HTML><HEAD></HEAD><BODY><P>Hello guys.</P><P></P><P>I have installed SSL decryption policy, which is forward proxy, for particular users. It's working fine but some problem occurred. Korean messenger application called kakao-talk for PC is not being able to login during forward-proxy SSL decryption policy applied. So I tried to capture the PCAPs for kakao-talk login function and they were using that TLS version 1.1 and Ciper Suite : TLS_RSA_WITH_AES_256_CBC_SHA (0x0035).</P><P></P><P>I could not find that any document for unsupported cipher suite for forward proxy (outbound SSL decryption). My question is PAN could not support cipher suite, TLS_RSA_WITH_AES_256_CBC_SHA? How do I bypass for the unsupported cipher suite for outbound SSL decryption? I tried to create a decryption profile that not to enable any block policy but it could not be bypassed and kakao-talk was not able to login.</P><P></P><P>Please let me know what is unsupported cipher suite for outbound SSL decryption and how can I bypass for unsupported outbound SSL decryption traffic.</P><P></P><P>Thanks in advance.</P><P>Regards,</P><P>Roh</P></BODY></HTML> Tue, 04 Feb 2014 01:37:20 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24891#M18164 Retired Member 2014-02-04T01:37:20Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24892#M18165 <HTML><HEAD></HEAD><BODY><P>Do you have decryption profile assigned to the decryption policy ( Options Tab in the policy )&nbsp; . If so, can you verify if the "Block sessions with unsupported cipher suites" is selected and disable it and try again&nbsp; ? You can define what should be blocked or not blocked for the Unsupported Modes in the decryption profile</P></BODY></HTML> Tue, 04 Feb 2014 01:51:09 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24892#M18165 knarra1 2014-02-04T01:51:09Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24893#M18166 <HTML><HEAD></HEAD><BODY><P>Hello knarra,</P><P>Thanks for interesting my question.</P><P></P><P>Yes, The decryption profile assigned to the decryption policy and I disabled the option "Block sessions with unsupported cipher suites" but it's not working to login for kakao-talk application.</P><P></P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/11416_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>Thanks again.</P><P>Regards,</P><P>Roh</P></BODY></HTML> Tue, 04 Feb 2014 02:06:52 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24893#M18166 Retired Member 2014-02-04T02:06:52Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24894#M18167 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>For SSL decryption, we only support SSLv3, TLSv1.0, and TLSv1.1 (TLSv1.2 will be downgraded in forward-proxy mode as of 4.1.9 and 5.0.0)</P><P></P><P>Supported cipher suits:</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">RSA-AES256-CBC-SHA</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">RSA-AES128-CBC-SHA</SPAN></P><P>RSA-3DES-EDE-CBC-SHA</P><P>RSA-RC4-128-MD5</P><P>RSA-RC4-128-SHA</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 04 Feb 2014 02:10:34 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24894#M18167 HULK 2014-02-04T02:10:34Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24895#M18168 <HTML><HEAD></HEAD><BODY><P>Hello HULK,</P><P>Thanks for giving information <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />. It's a strongly needed information.</P><P>But I have question remaining is how do I bypass the unsupported SSL traffic such as a SSL with using unsupported cipher-suite.</P><P></P><P>Should I not assign the SSL decryption profile that makes bypass the unsupported SSL traffic? or how?</P><P>I tried to find that URL for SSL handshaking but could not find. I believe that Ciper Suite : TLS_RSA_WITH_AES_256_CBC_SHA makes hiding URL for SSL handshaking, right? I am not sure.</P><P></P><P>If I found that URL for SSL handshaking and recognizing URLs of SSL by PAN, I could make a no-decrypt rule but now I cannot do.</P><P></P><P>Thanks.</P><P>Regards,</P><P>Roh</P></BODY></HTML> Tue, 04 Feb 2014 02:16:57 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24895#M18168 Retired Member 2014-02-04T02:16:57Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24896#M18169 <HTML><HEAD></HEAD><BODY><P>Hello Roh,</P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">First of all, we</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> can't decrypt where </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"><SPAN class="GINGER_SOFTWARE_mark">diffie</SPAN></SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"><SPAN class="GINGER_SOFTWARE_mark">hellman</SPAN></SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> is used in the key establishment. SSL traffic will be encrypted, so we can not see the original URL <SPAN class="GINGER_SOFTWARE_mark">on</SPAN> the URL logs. URL logs will give us the certificate name. If you have that Destination IP address, you can create a No-Decryption policy for that specific destination <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>top of the policy table).</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks<BR /></SPAN></P></BODY></HTML> Tue, 04 Feb 2014 02:40:52 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24896#M18169 HULK 2014-02-04T02:40:52Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24897#M18170 <HTML><HEAD></HEAD><BODY><P>Hello HULK,</P><P></P><P>Thanks for giving a information. Finally I created a no-decrypted rule with destination address and it's working fine.</P><P></P><P>Have a nice day.</P><P>Regards,</P><P>Roh</P></BODY></HTML> Tue, 04 Feb 2014 03:27:03 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/24897#M18170 Retired Member 2014-02-04T03:27:03Z https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/446664#M100609 <P>Hi,</P><P>I have recently found this topic, but I have the same problem. We have PAN OS 9.1.7 which already have predefine ssl decryption exclude list contain *.kakao.com, even I have added more kakao.com domain into the exclude list or add the url category or destination with kakao IP address in the no decryption policy, while other traffic like web-browsing and ssl will decrypt. It is still failed to login Kakao talk when ssl decryption in place.</P><P>The only way to make Kakao talk work is to NOT decrypt everything, with the no decrypt rule place at first in the decryption policy pool.</P><P>Would anyone please help to suggest, my aim is to make the Kakao talk works and we can still decrypt normal http/https traffic.</P><P>Thank you</P> Wed, 10 Nov 2021 07:25:18 GMT https://live.paloaltonetworks.com/t5/general-topics/questioning-about-unsupported-cipher-suite-for-ssl-decryption/m-p/446664#M100609 terryc07 2021-11-10T07:25:18Z