topic Re: SSL decryption issues with latest Firefox in General Topics

SSL decryption issues with latest Firefox

dieter_b — Wed, 20 May 2015 18:38:48 GMT

I'm having SSL decryption issues with the latest versions of Firefox.

In Firefox i get following error when visiting a https site:

Secure Connection Failed

An error occurred during a connection to live.paloaltonetworks.com. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.

Seems to be related to how Firefox handles certificates, requiring them to be more secure (number of bits and encryption algorithm), but I haven't found the exact requirements yet.

I can generate and deploy a new certificate, but I'm not sure what will give me one Firefox will accept.

Any thoughts ?

Re: SSL decryption issues with latest Firefox

dieter_b — Thu, 21 May 2015 09:44:45 GMT

Also seems related to the Issuer CN in the certificate (see 1153204 – Firefox doesn't connect to https://www.deutschepost.de/ because its issuer certificate contains invalid dNSNam… )

In our case it contains the IP adres of the firewall, where Firefox seems to expect a dns name.

I have not been able to confirm this yet...

Re: SSL decryption issues with latest Firefox

aabdelhali — Thu, 21 May 2015 14:27:04 GMT

Does this happen with all https URLs?

Re: SSL decryption issues with latest Firefox

dieter_b — Thu, 21 May 2015 14:50:48 GMT

All url categories that require decryption, yes. So the error definitely relates to the decryption certificate (and not the websites I'm trying to visit).

Re: SSL decryption issues with latest Firefox

GLastra — Mon, 25 May 2015 19:27:03 GMT

Hi Dieterb,

was your issue solved? if not, would be useful if you can write the Firefox version and the CA certificate information.

regards,

Re: SSL decryption issues with latest Firefox

dieter_b — Tue, 26 May 2015 10:05:05 GMT

Firefox 38.

Firefox 37 and earlier are not affected.

I have not tried a newer beta yet.

Certificate is one generated with PA. It only contains a handful of default attributes (organization, email ...).

Replacing the IP with a valid dns entry did not resolve the issue.

One would call it a Firefox issue... But I guess it's the way the PA generates the certificate. Would be good to know if this issue is resolved with newer PANOS version or to have a workaround.

Re: SSL decryption issues with latest Firefox

jdelio — Tue, 26 May 2015 18:38:47 GMT

What version of Pan-OS are you using?

Also, does Chrome or Internet Explorer show the same error while the firewall is attempting to decrypt it?

Re: SSL decryption issues with latest Firefox

TheDave — Tue, 26 May 2015 21:36:24 GMT

It doesn't seem to affect IE or Chrome, but as of Firefox 38.01 we are also seeing the issue. Specifically for us its affecting https://accounts.google.com.

https://bugzilla.mozilla.org/show_bug.cgi?id=1148766

Re: SSL decryption issues with latest Firefox

dieter_b — Wed, 27 May 2015 06:04:01 GMT

We are on 5.0.11

Re: SSL decryption issues with latest Firefox

jdelio — Wed, 27 May 2015 14:41:32 GMT

I bet you are correct, that this is happening due to Firefox handing the security/certificates differently than IE and Chrome.

This also has to deal with how PAN is decrypting and encrypting the traffic differently than what Firefox is expecting, thus causing this issue.

I would recommend opening a case with TAC - PAN Support, if you do not already have one to get this addressed.

Re: SSL decryption issues with latest Firefox

dieter_b — Wed, 27 May 2015 14:48:02 GMT

Take a look at 1166216 – FF38, Secure Connection Failed (sec_error_bad_der) on internal certificates

Quote from David Keeler

One common issue appears to be the encoding of the RSA modulus. If the highest bit of an integer is set, the proper DER encoding requires a leading zero byte to indicate that the integer is a positive value, not negative.

This actually seems to confirm that PA generated certificates are faulty.

I have opened a case with our reseller. They are now trying to recreate the issue. If they can recreate, they will escalate to Palo Alto support.

Re: SSL decryption issues with latest Firefox

eugenep — Tue, 02 Jun 2015 08:18:55 GMT

This issue isn't present on 6.0.9 or 6.1.4.

I opened a case with PAN Support while we were on 5.0.14 and had this issue, and all they kept coming back to me was that 5.0.X doesn't support TLS1.2 and sent me to a link of their support cipher pages. I told them it wasn't related to that as I forced Firefox to only use TLS1.1 and disabled the unsupported ciphers and was still getting the same problem.

I was getting no where. In the end, we needed to move to 6.x anyway to use some of the new features.

Re: SSL decryption issues with latest Firefox

dieter_b — Fri, 05 Jun 2015 07:15:44 GMT

I went trough the bugfixes and found these that may be related:

Release notes 6.0.7: 66635 Enabling SSL Forward Proxy decryption with a self-signed certificate could sometimes cause the certificate presented to the client to have a negative serial number, causing an error on the client.
6.0.3: 61696 When using SSL Forward Proxy decryption with self-signed certificates with Firefox, an error was seen from Firefox regarding conflicting certificate serial numbers: sec_error_reused_issuer_and_serial.
6.0.0: 59030 Certificates generated during SSL decryption were not adhering to the ASN.1 format. This was leading to the SSL connection being dropped by some servers.

Especially the last one...

Upgrade to 6.0.10 is planned next week, so fingers crossed.

Re: SSL decryption issues with latest Firefox

dieter_b — Fri, 12 Jun 2015 08:27:02 GMT

With the upgrade and after generating completely new certificates (root CA and client certificate are self signed in our case; server certificate is a public one), the issue seems to be resolved.

Our reseller helpdesk however did not confirm if it had anything to do with the listed bugfixes.

We still have issues with certain https websites, where Firefox throws the error

Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.

Example url: https://support.office.com/

Re: SSL decryption issues with latest Firefox

oschuler — Mon, 06 Jul 2015 12:34:57 GMT

This issue still exists in PAN-OS 7.0.0 and Firefox v39. I tried opening https://support.office.com and the firewall responsds with a FIN,ACK immediately:

The internal Root-CA certificate is imported to the Firefox Trusted CA store. The issue doesn't appear when loading the page with IE11 or Chrome43.

Re: SSL decryption issues with latest Firefox

dieter_b — Mon, 06 Jul 2015 12:38:08 GMT

how is your decryption certificate encrypted ?

edit: let me clarify

I've been told since 6.1.4 you can encrypt the cert with AES256 and that should solve the Firefox issue.

But you'd have to generate a new cert of course.

Re: SSL decryption issues with latest Firefox

hvcomputech — Fri, 29 Jan 2016 14:44:55 GMT

Has this been verified?

Re: SSL decryption issues with latest Firefox

dieter_b — Mon, 22 Feb 2016 14:21:30 GMT

I've been on 6.1.7 for a while now. Been testing internally with newly generated certificate. So far I have not encountered the issue anymore in FF.

But PA support also said another fix was made in 6.1.8, issue id 81830.

I'll upgrade to 6.1.9 soon. If problem stays away, I'll re-enable decryption for our users.