topic SSL Decryption Woes in General Topics

SSL Decryption Woes

prospectfr — Wed, 26 Aug 2015 08:36:51 GMT

Hi,

I am not able to get to https://platinum.netnames.com/ with SSL decryption on, on PAN 7.0.1 / PA-3020 (IE11 / FF40 == TLS failure). Also, speed seems capped to 3Mbit/s with some CDNs (S3 AWS). Am I missing something?

thanks.

Re: SSL Decryption Woes

pankaku — Wed, 26 Aug 2015 09:34:51 GMT

The website "https://platinum.netnames.com" is using unsupported cipher suite (TLS_ECDHE_RSA is not supported.) that's why you are having issues while opening that website. Refer to following documnet

https://live.paloaltonetworks.com/t5/Articles/SSL-Decryption-Not-Working-due-to-Unsupported-Cipher-Suites/ta-p/55543

Re: SSL Decryption Woes

Remo — Wed, 26 Aug 2015 09:25:11 GMT

Hi,

This site only supporty ciphersuites with forward secrecy (ciphers with ECDHE or DHE). Those ciphers are not supported by the ssl decryption feature of paloalto.

These are the supported ciphers of this website:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

source: https://www.ssllabs.com/ssltest/analyze.html?d=platinum.netnames.com

Hope this helps.

Regards,

Remo

Re: SSL Decryption Woes

prospectfr — Wed, 26 Aug 2015 09:28:43 GMT

That's what I suspected, however I don't understand why can't it be handled in a graceful manner (aka simply not decrypting) ? It is not very convenient to whitelist on incident (neither it is practical). It would be nice if PaloAlto could maintain a category of such sites on their own so we just have to exclude it from decryption and everybody benefits from it.

Is anyone using SSL Decrypt in the field with a lot of URL categories?

thanks for your input.

Re: SSL Decryption Woes

pankaku — Wed, 26 Aug 2015 09:37:04 GMT

Some server uses non standard cipher suites that why PA cannot decrypt them. However PAOS 7.0 can decrypt more traffic than previous versions.

Regards,

Pankaj Kumar

Re: SSL Decryption Woes

Brandon_Wertz — Wed, 26 Aug 2015 13:13:04 GMT

I totally feel your pain and agree...I've actually got a case open right now on this very issue. The amount of TLS1.2 sites that fail to load because of unsupported cipher suites the palo doesn't support is kinda crazy.

Then compounding the issue is the "Page can't be disaplayed" error users get in IE. At least Chrome give users a "Connection Closed Error" which does indicate something actually happened.

On your decryption profile you should be able to allow connection to SSL sites with "Unsupported ciphers" which I've actually got set to allow, but the 5060 still isn't allowing the connection. So TAC is investigating.

Re: SSL Decryption Woes

prospectfr — Wed, 26 Aug 2015 14:01:30 GMT

FWIW I am the only user of the solution (demo unit), and I am thinking of turning off SSL decryption given the number of issues it causes. I can't imagine the number of tickets I would get with 1K+ users on it.

How is TAC dealing with these issues from your experience?

Thanks!

Re: SSL Decryption Woes

Brandon_Wertz — Wed, 26 Aug 2015 14:51:16 GMT

Oddly enough, it's still worth it.

Not all sites run TLS1.2. There have been plenty of cases where decrypted content has enabled the threat service to find malware.

There are also a fair amount of sites running TLS1.2 that the device does support FB, Youtube, Webmail, as well as other governmental websites.

Re: SSL Decryption Woes

Brandon_Wertz — Wed, 26 Aug 2015 14:54:02 GMT

As far as TAC support on this TLS issue. I've only had the case open for about 12 hours. We'll see how things progress.

Re: SSL Decryption Woes

ITCMPHC — Thu, 27 Aug 2015 16:48:06 GMT

I've got about 1k users and I am decrypting all traffic. Currently running 7.0.1 on a pair of 3050s. 7.x has definitely improved the situation as they fixed a bug that prevented many pages from loading even with the unsupported cipher bypass enabled. You still run into situations like the one you described, but not nearly as many as before. I generally have 2-3 unblock requests per week so it is managable for now. I expect that number to go up in the future as more sites begin using cipher suites that the Palos can't handle. I'm hoping Palo is putting time into supporting more suites as decryption is one of the foundations of their app-id.

Re: SSL Decryption Woes

Brandon_Wertz — Mon, 31 Aug 2015 17:35:25 GMT

Still don't have an answer from TAC.

Re: SSL Decryption Woes

prospectfr — Tue, 01 Sep 2015 08:22:12 GMT

Slightly OT, what kind of traffic do you manage to require 3050s instead of 3020s for 1K users?

Re: SSL Decryption Woes

Brandon_Wertz — Tue, 08 Sep 2015 15:56:31 GMT

Bug ID 83524 -

Has been documented for sites with unsupported cipher suites still not being accessible when configured to not block unsupported cipher suites.

The current work around is to bypass URLs as they come. As of this date 8 Sep 15, this bug still isn't resolved in 7.0.2, though operability with other ciphers might be better the bug isn't officially resolved in 7.0.2.

Re: SSL Decryption Woes

arvesynd — Wed, 14 Oct 2015 06:56:42 GMT

I asked a Palo Alto representative about this a few months back, and support for TLS_ECDHE_RSA and TLS_DHE_RSA was planned to be implemented sometime in the first half of 2016.

Could be coming in PANOS 8?