https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3096#M2311 <HTML><HEAD></HEAD><BODY><P>Looks like the CRL/OSCP check is timing out - look at Status: timed-out and hence the error message. Can you verify if there is any network latency in retrieving the crl list or reaching the server itself?</P></BODY></HTML> Mon, 24 Jun 2013 18:10:49 GMT zarina 2013-06-24T18:10:49Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3093#M2308 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>we have some trouble with a lot of Google sites when we enable SSL decryption and also enable CRL and OCSP checks. We either get no response at all, or error messages like the one in the attached screenshot. If we disable the CRL/OCSP checks (which is undesirable I guess), then we have no problems at all. Google is the only destination we have these problems with and regarding to the system logs, the CRL list retreival is working fine.</P><P></P><P>Any ideas?</P><P></P><P>Thanks</P><P>Sascha</P></BODY></HTML> Mon, 24 Jun 2013 17:12:51 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3093#M2308 cryptochrome 2013-06-24T17:12:51Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3094#M2309 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">If you look at the certificate that you get when you go to<SPAN style="font-style: inherit;"> any google website like </SPAN><A class="jive-link-external-small" href="https://youtube.com/" style="font-style: inherit; text-decoration: underline; color: #316989;">https://youtube.com</A> (click on the icon to the left of the address to view certificate info) you will see that the common name is *.google.com.&nbsp; Google uses this wildcard certificate for most of its sites.</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Before decrypting the traffic the firewall only has the common name on the certificate to use for looking up URL category.&nbsp; *.google.com is in the Search Engines category, so that's what the firewall identifies it as when you go to google sites like </P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><A class="jive-link-external-small" href="https://youtube.com/" style="font-style: inherit; text-decoration: underline; color: #316989;">https://youtube.com</A> , or basically any other Google service.&nbsp; Once you have decrypted the traffic the firewall can do the URL lookup based on the HTTP GET request for the website.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Best regards,</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Karthik RP</P></BODY></HTML> Mon, 24 Jun 2013 17:23:13 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3094#M2309 kprakash 2013-06-24T17:23:13Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3095#M2310 <HTML><HEAD></HEAD><BODY><P>Thanks, but it's not a problem of being blocked by firewall policy. It's a problem with the PAN checking Google's certificates. </P><P></P><P>See this:</P><P><IMG alt="cert.PNG" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/7058_cert.PNG" style="width: 450px; height: 283px;" /></P><P></P><P>As I wrote above, it must have something to do with checking CRL/OCSP in Device -&gt; Service -&gt; Session -&gt; Decryption Certificate Revocation Settings.</P><P></P><P>If we disable the checks, it works fine.</P></BODY></HTML> Mon, 24 Jun 2013 17:32:49 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3095#M2310 cryptochrome 2013-06-24T17:32:49Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3096#M2311 <HTML><HEAD></HEAD><BODY><P>Looks like the CRL/OSCP check is timing out - look at Status: timed-out and hence the error message. Can you verify if there is any network latency in retrieving the crl list or reaching the server itself?</P></BODY></HTML> Mon, 24 Jun 2013 18:10:49 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3096#M2311 zarina 2013-06-24T18:10:49Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3097#M2312 <HTML><HEAD></HEAD><BODY><P>As I said earlier, regarding to my system logs, there are no issues with retrieving the CRL lists. There is no timeout, and Google is the only destination that's affected. The "timeout" in the error message is indeed strange, but sometimes we get no error message at all.</P><P></P><P>Thanks!</P></BODY></HTML> Mon, 24 Jun 2013 20:54:36 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3097#M2312 cryptochrome 2013-06-24T20:54:36Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3098#M2313 <HTML><HEAD></HEAD><BODY><P>1&gt;Can you&nbsp; try to increase the timeout value for the settings under <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"> Decryption Certificate Revocation Settings</SPAN> : to max=60sec .</P><P>2&gt;What is the Software Version installed on the firewall?</P><P>3&gt;Can you attach the following log</P><P></P><P>&gt;less mp-log sslmgr.log</P><P></P><P>Also following discussion may interest you:</P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/message/28884#28884">https://live.paloaltonetworks.com/message/28884#28884</A></SPAN></P></BODY></HTML> Tue, 25 Jun 2013 08:11:41 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3098#M2313 UhMayYeah 2013-06-25T08:11:41Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3099#M2314 <HTML><HEAD></HEAD><BODY><P>Hello Nadir,</P><P></P><P>we are running 5.0.4. And I am seeing the same error messages in sslmgr.log that are described in the other discussion you linked to. So it's safe to assume we are hitting this bug as well. I will try to turn off OCSP checks. If I understand the bug correctly, it's only happening after turning on OCSP. What do you think?</P><P></P><P>Thanks</P><P>Sascha</P></BODY></HTML> Tue, 25 Jun 2013 19:02:15 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3099#M2314 cryptochrome 2013-06-25T19:02:15Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3100#M2315 <HTML><HEAD></HEAD><BODY><P>Hello Sacha,</P><P></P><P>If you are seeing the same error ,its likely that we are&nbsp; encountering the Bug referenced in the discussion that would be fixed with OS_5.0.7.</P><P></P><P>-Nadir</P></BODY></HTML> Tue, 25 Jun 2013 20:06:26 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3100#M2315 UhMayYeah 2013-06-25T20:06:26Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3101#M2316 <HTML><HEAD></HEAD><BODY><P>Thanks. Just for clarification: Isn't certificate revocation checking decoupled from decryption? Meaning, even if I bypass Google from decryption, wouldn't the certificate checks still jump in? Or are these settings only used in tandem with decryption?</P></BODY></HTML> Tue, 25 Jun 2013 20:22:16 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3101#M2316 cryptochrome 2013-06-25T20:22:16Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3102#M2317 <HTML><HEAD></HEAD><BODY><P>Where can I find a statement in the manual that proofs this?</P><P></P><P>As far as I know the PA will only check the cert for revocation when its being part of the decryption.</P><P></P><P>If the session is not being intercepted then there will be no checks for revocation (how would the PA otherwise be able to display an error message for the client (that the cert is revoked) if the ssl session isnt decrypted?).</P></BODY></HTML> Wed, 26 Jun 2013 08:19:05 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3102#M2317 mikand 2013-06-26T08:19:05Z https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3103#M2318 <HTML><HEAD></HEAD><BODY><P>I have generally seen OSCP settings come into play for&nbsp;&nbsp; CP ,GP</P><P>But based on the Bug that was referenced in the&nbsp; <A _jive_internal="true" href="https://live.paloaltonetworks.com/message/28884#28884" style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #316989;">https://live.paloaltonetworks.com/message/28884#28884</A>.</P><P>OCSP did affect ssl-decrypted traffic.The CLI setting to enable OCSP is as follows:</P><P></P><P># set deviceconfig setting ssl-decrypt ocsp yes</P><P>which I found is same as enabling OCSP from the WebUI.</P></BODY></HTML> Wed, 26 Jun 2013 10:24:35 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-decrypting-google-traffic/m-p/3103#M2318 UhMayYeah 2013-06-26T10:24:35Z