topic Re: SSL Decryption - warnings during commit in General Topics

SSL Decryption - warnings during commit

uscit — Tue, 07 May 2013 14:04:00 GMT

I had setup GlobalProtect with a third party certificate that I chained together, and it works fine with no errors.

Then, I began testing SSL Decryption yesterday (with an initial goal of decrypting SSL for Facebook so that I could block Facebook games). Upon configuring the Decryption Policy, when going to commit, I receive these warnings:

Warning: certificate chain not correctly formed in certificate GlobalProtect-ServerWarning: certificate chain not correctly formed in certificate GlobalProtect-ServerWarning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.

(Module: device)

Configuration committed successfully

My questions are:

Why is it now telling me that my chain isn't configured correctly for the cert I'm using with GlobalProtect?

The cert I'm using for SSL Decryption I have only enabled the option of "Forward Trust Certificate", which I am assuming is why I'm seeing the warning about "Forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead"...but should I enable "Forward Untrust Certificate" on this cert as well?

Re: SSL Decryption - warnings during commit

uscit — Wed, 08 May 2013 20:33:39 GMT

Well, it appeared that I actually did have the chain wrong on my GP SSL cert (a Godaddy one). I corrected that, and now I don't get an error in the PAN when committing...however if I use openssl or sslToolbox to validate the chain, it's throwing in an extra cert that I did not put in the chain. Openssl says it is a "self-signed certificate in the certificate chain", and this is from sslToolbox below:

Certificate Chain Information

Server Name

<gp portal> was checked using port number 443

The following issuer is not supported by the certificate installation checker.

Chain Installation

Certificate 1

Organization

The Go Daddy Group, Inc.

Go Daddy Class 2 Certification Authority

Country

Valid From

Tue Jun 29 13:06:20 EDT 2004

Valid To

Thu Jun 29 13:06:20 EDT 2034

Serial Number

Signature Algorithm

SHA1withRSA

I then looked in the PA-500's "Default Trusted Certificate Authorities" and indeed there is one called "The Go Daddy Group, Inc., Go Daddy Class 2 Certification Author". I don't remember seeing this in there before, and I had looked for GoDaddy in this default trusted list?

And for the warning about the untrust cert, I saw the other thread that said to ignore this error. I don't have an untrust cert...if I want to set one up to get rid of the warning, is it any different than the one I use for forward trust? Can I just use that one for both?

Re: SSL Decryption - warnings during commit

Interface — Wed, 28 Aug 2013 13:36:13 GMT

Hi,

look here for the same issue - https://live.paloaltonetworks.com/thread/8554

I created "Forward untrust certificate" and commit with no errors. First i use same certificate for both and there was no difference. Good luck

Re: SSL Decryption - warnings during commit

mbutt — Thu, 29 Aug 2013 17:30:14 GMT

I found the following Bug 47565 which is fixed in release 5.0.3.

The release notes state the following

After upgrading to PAN-OS 5.0.x, newly imported certificates that were part of a certificate chain were being stripped of their intermediate certificates, causing the browser to prompt users with a certificate warning.

You might be running into this issue.

Re: SSL Decryption - warnings during commit

mikand — Fri, 30 Aug 2013 21:08:03 GMT

The point of the untrust cert is that when PA device fails to setup a proper ssl between itself and the server when using ssl termination there is no way to notify the client about this. So by choosing the untrust towards the client the client will know its bad if the client continue this session.

My advice would be to use two different certs, one for trusted and one for untrusted and place that trusted cert as trusted CA in your browser and the other untrusted cert as untrusted / blacklisted CA in your browser.