topic Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled in General Topics

Facebook is not displaying its page/images properly when SSL Decryption is enabled

AKamal — Wed, 19 Jun 2013 08:42:54 GMT

Facebook is not displaying its page/images properly when SSL Decryption is enabled

any ideas why ?

*Note: I have a rule allowing ANY destination with ANY application with ANY service, also another rule i tried was with ANY destination with Explicitly allowing all facebook applications on service ANY, and yet it didn't work.

My SSL Forward certificate is 1024-bit sha-1

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

UhMayYeah — Wed, 19 Jun 2013 10:18:17 GMT

Are you using any URL categories in the decrypt rule.

How abt using IE/Chrome?

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

JRussell — Wed, 19 Jun 2013 11:14:52 GMT

A lot of sites like this don't like you to have a SSL decrypt rule in place. I have had the same problem with Dropbox and in the end I had to put a no-decrypt rule in specifically for the people who use that service.

Basically, the site is saying that it doesn't like you doing something in the middle of the transmitting, like SSL decryption. Those sites will generally give you a reduced webpage much like what your screenshot showed.

Try going to your Decryption rules and adding one that says, Any source, any destination, URL category as only Facebook, no decrypt and ssl-forward Proxy. If that works you may want to restrict it down to specific sources or specific destination zone.

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

mikand — Wed, 19 Jun 2013 19:08:22 GMT

Ehm woot?

The reason the dropbox client doesnt work is that the dropbox client has a hardcoded ssl cert that if this doesnt match (as when ssl decryption is in progress) the client refuse to connect - same goes with windowsupdate (that is the client - not when used through webbrowser) for that matter.

However the dropbox through webbrowser will still work even if you do ssl decryption.

Regarding facebook you should check your browser that the facebook server cert isnt already preloaded. I think both firefox and google chrome started to do something like that last year or so.

What you then need to do, except adding the cert used to create these MITM ssl certs as a trusted CA, is to clear any preloaded server certs regarding facebook.

Also note that facebook uses various CDN which also must be reachable by the client.

Except for this - how is your ssl decrypt rule setup?

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

JRussell — Thu, 20 Jun 2013 08:06:11 GMT

No. I have a rule that says Decrypt all sites. Unless I have another rule in saying no-decrypt on dropbox then the website does not work. Gives an SSL error.

I know about the Dropbox client and the hardcoded SSl cert as I had to change that to get it to work, but this is a website both ksabry and I are talking about, not any client software. And in these cases if you have a decrypt all sites rule in place, then you would need a no-decrypt rule for certain sites. Such as banking sites for instance. They don't like it when you decrypt their traffic before it gets to the end point and will not allow you to log on.

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

mikand — Thu, 20 Jun 2013 08:20:43 GMT

Unless the bank uses a client cert (which very few does) - how would the bank be able to detect that the ssl traffic is being intercepted at the client end according to you ?

Regarding the Facebook problem - verify if they only accept TLS 1.1 or newer? If so then PA might lack support to handle TLS 1.1 and newer ssl based communication.

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

JRussell — Thu, 20 Jun 2013 08:32:00 GMT

Well perhaps I should have quantified that statement a little bit. OUR banking sites don't like it when the traffic is decrypted before getting to the end point. And yes, ours does use Cert. We have a card reader that we have to pull the certs from a card they send us to get it to all work properly. But that is getting a bit off topic.

All I was suggesting is to try a no-decrypt rule to see if that allows him through as that is what worked for me in other cases. Not facebook though as we block that across the board.

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

AKamal — Mon, 24 Jun 2013 14:46:39 GMT

Thanks , &

I specified in my decryption rule to match on all categories (I added them all explicitly)

I tried with IE, Chrome & Firefox and seems that the problem is with Firefox only!