topic Re: Decryption causing more sites to fail in General Topics

Decryption causing more sites to fail

craymond — Wed, 20 Apr 2016 13:01:51 GMT

Just floating this out to the community. We have had decryption enabled for the past 2 years. In the last 6 months we are adding a new site to the no decrypt category about once a week. We are up to 94 sites that it can't decrypt. Yesterday it was Office365 exchange that stopped woeking, today was the kicker with microsoft updates failing even though we have always had update.microsoft.com in the list not to decrypt. Last week we added Jimmy John's wich we have been using for ever. Is this happening to others?

Re: Decryption causing more sites to fail

bmorris1 — Wed, 20 Apr 2016 13:39:14 GMT

Hello,

More and more web servers are dropping support for RSA.

https://notepad-plus-plus.org/

is just one of them.

ECDHE ciphers are supported for decryption with the release of 7.1.0. If you are encountering problems where the websites are unable to be decrypted due to unsupported ciphers then it would be worth upgrading to take advantage of the new features.

hope this helps,

Ben

Re: Decryption causing more sites to fail

Brandon_Wertz — Wed, 20 Apr 2016 13:53:35 GMT

I don't think Jimmy John's is the RSA support issue, because we're cracking it and it's working for us.

You might want to review your decyption profile @craymond and make sure you've got support for unsupported ciphers. Though there is a known issue that even though you've got the box checked it still doesn't work, and there for requires admins to bypass SSL Interception for that particular site. (For reasons like @bmorris1 said, Palo's lack of support of certain ciphers on code versions less than 7.1.X) Sites have been ramping up using stronger ciphers that until 7.1.X palo didn't support.

Also could it be possible that your hardware is running out of resources to support the increased use of SSL across the Internet? Hardware purchased 3 years ago might be reaching it's limit since pretty much every site is SSL now.

Re: Decryption causing more sites to fail

bmorris1 — Wed, 20 Apr 2016 14:16:41 GMT

If it is a resource issue then you can quickly check the pools

> debug dataplane pool statistics

You can also check the counters that match the proxy

> show counter global | match proxy

It would be worth clearing the exclude cache as well, but you'll see the usage in the pool output.

> debug dataplane reset ssl-decrypt exclude-cache

hope this helps,

Ben

Re: Decryption causing more sites to fail

craymond — Wed, 20 Apr 2016 18:05:35 GMT

We have it scheduled to upgrade to 7.1, will see if this resolves the issue.

Re: Decryption causing more sites to fail

Brandon_Wertz — Wed, 20 Apr 2016 20:03:55 GMT

There are quite a few "known issues" with both 7.1.0 and 7.1.1, you might want to evaluate and make sure it's stable for your enviornment.

Re: Decryption causing more sites to fail

craymond — Thu, 28 Apr 2016 13:14:04 GMT

Thank you. I will be contacting my SE to discuss upgrade suggestions.