https://live.paloaltonetworks.com/t5/general-topics/elster-and-ssl-decryption/m-p/31141#M22779 <HTML><HEAD></HEAD><BODY><P>In Germany one can use "ELSTER" to transmit tax reports electronically to the financial authorities. Elster is build in many ERP Systems and alike.</P><P>Unfortunately the certificate used by the authorities is self signed and therefor not trusted by the PA and gets newley created by and signed by the "forward_untrust" CA in the PA rendering a communication error in the ELSTER software (which has the original certificate hardcoded).</P><P></P><P>See attached a little how-to to fix this with a "not decrypt" rule. If anyone finds a better, more granular way to accomplish this, please let me know.</P></BODY></HTML> Sat, 11 Aug 2012 10:29:52 GMT u13550 2012-08-11T10:29:52Z https://live.paloaltonetworks.com/t5/general-topics/elster-and-ssl-decryption/m-p/31141#M22779 <HTML><HEAD></HEAD><BODY><P>In Germany one can use "ELSTER" to transmit tax reports electronically to the financial authorities. Elster is build in many ERP Systems and alike.</P><P>Unfortunately the certificate used by the authorities is self signed and therefor not trusted by the PA and gets newley created by and signed by the "forward_untrust" CA in the PA rendering a communication error in the ELSTER software (which has the original certificate hardcoded).</P><P></P><P>See attached a little how-to to fix this with a "not decrypt" rule. If anyone finds a better, more granular way to accomplish this, please let me know.</P></BODY></HTML> Sat, 11 Aug 2012 10:29:52 GMT https://live.paloaltonetworks.com/t5/general-topics/elster-and-ssl-decryption/m-p/31141#M22779 u13550 2012-08-11T10:29:52Z https://live.paloaltonetworks.com/t5/general-topics/elster-and-ssl-decryption/m-p/31142#M22780 <HTML><HEAD></HEAD><BODY><P>This is certainly a valid work around and you will most likely not be able to find a better or more granular one.</P><P></P><P>The self signed certificate is not the main problem here, it could be imported into the Palo Alto as a trusted CA.</P><P>However, the server ip-addresses seem to use the same certificate (same fingerprint, same s/n) with the common name 'Elster HTTPS-Servlet' which will always result into a failed verification due to 'hostname mismatch'. </P><P>Not enough, the certificate of www.elsterft.de is expired since Dec. 19. 2011 (as of today Aug. 11. 2012)</P><P></P><P>Even if you would be able to overcome all these issues the ssl decryption will most likely still fail, because the server requires a mutual certificate authentication.</P><P></P><P>Congratulation to the German tax authorities for this great implementation and the ISO 27001 certification.</P></BODY></HTML> Sat, 11 Aug 2012 19:00:35 GMT https://live.paloaltonetworks.com/t5/general-topics/elster-and-ssl-decryption/m-p/31142#M22780 panwmod 2012-08-11T19:00:35Z