topic Re: SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket" in General Topics

SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

mhuels — Mon, 17 Sep 2012 12:54:36 GMT

Since upgrading to Palo Alto Networks 4.1 we often have warnings in several firefox and thunderbird clients.

Then we get the error mesage "ssl_error_rx_unexpected_new_session_ticket".

This example is from thunderbird:

Additionally the behaviour of the firewall to let some SSL communication undecrypted - for instance: on the first click https://www.anyside.de/index.html will be decrypted, the second click on https://www.anyside.de/anydoc.html will not - is a bit disturbing.

mfg

Manfred

Re: SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

sdurga — Mon, 17 Sep 2012 17:07:41 GMT

Hi,

Can you try deleting the SSL decryption certificates on Paloalto and re-importing/regenerating them again and see if it makes any difference. My guess is that the SSL decryption certs might have got corrupted during the software upgrade.

Re: SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

mhuels — Wed, 19 Sep 2012 14:12:15 GMT

Hi sdurga,

first i tried to disable device->setup->Server CRL/OCSP Settings.

this works a bit. Now the SSL crypted websites will be mostly continuous decrypted.

With some rare exceptions: if we get an error message like this here

i get an undecrypted website at next, if i click "Nochmals versuchen".

Next i will try your suggestion.

greets

Manfred

Re: SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

mhuels — Thu, 20 Sep 2012 10:29:17 GMT

I have reimported the certificate.

Unfortunately the problem is still going on. The SSL warning is not as usual as in the beginning, but it reappears frequently.

Guessing a performance problem with our hardware (PA 2050 from 2010), what can we do?

greets

Manfred

Re: SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

mhuels — Mon, 24 Sep 2012 09:11:15 GMT

We can see another strange behaviour by the firewall, which shows in the same direction:

Especially if using the Firefox Browser will the third or fifth reload of a ssl-crypted website be undecrypted by the firewall.You simply have to click "reload" several times on any SSL Website.

Very strange behaviour by a security device.

Manfred

Re: SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

mikand — Mon, 24 Sep 2012 09:22:46 GMT

Your device is obviously malfunctioning for some reason.

Did you file this as a bugreport and what did the support tell you?

A similar event regarding 2000-boxes and SSL was spring 2010 (3.0/3.1.something) where the SSL engine failed in mgmtplane which gave all sort of funny results (because the MITM cert is created on the fly by the mgmtplane and then cached in the dataplane if im not mistaken). That bug was fixed a few weeks later after being reported (and debugged).

Re: SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

mhuels — Mon, 24 Sep 2012 10:00:23 GMT

Till now, we didnt open a support request. But i will do so this morning.

Thanks

Manfred