topic page cannot be viewed properly in General Topics

page cannot be viewed properly

Retired Member — Tue, 16 Jul 2013 19:47:20 GMT

Hi,

There is a web page that cannot be viewed properly because of ssl decryption.Decryption is made for gmail applications by using custom url

Is there a way to fix that without disabling ssl decryption ?

Re: page cannot be viewed properly

mikand — Tue, 16 Jul 2013 20:01:35 GMT

Try to locate which TLS version is being used.

It seems that PA (still) doesnt properly support TLS1.2 (or if it was TLS1.1). There were previously rumours that this would have been fixed in PANOS 5.0 but it doesnt seem like that.

Re: page cannot be viewed properly

gwesson — Wed, 17 Jul 2013 00:41:58 GMT

The gmail server is an interesting animal when it comes to SSL. If you go to "https://gmail.com" it fails to decrypt, but if you go to "https://mail.google.com". I haven't found a solid answer to that in my testing, and I can only speculate that it has to do with the multiple handshakes, redirects, and certs used.

Try hitting the full (final) URL for google services to see if it will decrypt properly.

-Greg

Re: page cannot be viewed properly

mikand — Wed, 17 Jul 2013 21:12:07 GMT

According to https://www.ssllabs.com/ssltest/analyze.html both sites has:

Protocols

TLS 1.2 Yes

TLS 1.1 Yes

TLS 1.0 Yes

SSL 3.0 Yes

SSL 2.0 No

and

Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites where used)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 128

TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 128

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128

SSL_RSA_WITH_RC4_128_SHA (0x5) 128

SSL_RSA_WITH_RC4_128_MD5 (0x4) 128

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 256

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 168

SSL_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 128

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128

However www.gmail.com has a note of "This site works only in browsers with SNI support.".

Could it be that PA doesnt have support för SNI?

For more info of SNI:

http://en.wikipedia.org/wiki/Server_Name_Indication

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Other than that the certs seems to be issued weekly (for both sites the valid from was set to 12 july 2013...), could it be some ssl-cache problem within PA?

Re: page cannot be viewed properly

Retired Member — Wed, 17 Jul 2013 21:19:35 GMT

good point.Maybe you are right about cache.

Re: page cannot be viewed properly

Retired Member — Fri, 19 Jul 2013 21:04:34 GMT

This happens with chrome only.

I searched and found

but that did not solve our problem.When I disable decryption it works fine.

Re: page cannot be viewed properly

sdurga — Fri, 19 Jul 2013 21:43:20 GMT

Is the decryption certificate used by the firewall, trusted by the PC from where you are browsing the web-page ? I have seen similar issues, downloading the SSL forward proxy certificate that is used on the firewall and adding it to the trusted root ca folder in certificate store of the pc fixed the issue for me.

Re: page cannot be viewed properly

Retired Member — Fri, 19 Jul 2013 23:33:30 GMT

it was imported for a long time.importing again to root after that issue has fixed the page problem.Thanks.