topic SSL Decryption in General Topics

SSL Decryption

RC-BHF — Tue, 10 May 2016 16:10:40 GMT

We do SSL Decryption on our PA.

Recently we have been seeing a lot of sites that do not decrypt

Chrome comes up with ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION

Firefox does not have any meaning full error message

A quick google shows that it is to do with disabling of SSL v3.

When the site is added to no decryption policy it works, so obviously the issue is to do with SSL Decryption

But I do not understand what is forcing the browser back to SSL v3.

Can anyone please point me in the right direction. Is it the SSL cert that is installed on the PA ?

Re: SSL Decryption

gwesson — Tue, 10 May 2016 18:20:53 GMT

If I had to guess, you're probably running PAN-OS 7.0 or older, so the list of ciphers supported by the decryption is limited to lower security ciphers (nothing using DHE or EC). If I'm wrong about the OS version, you can discard the rest of this message because I have no idea other than that.

If the site you're going to only supports high-encryption ciphers within TLS 1.0 and greater, the only option left to the firewall's decryption mechanism is to use SSLv3. Since SSLv3 is pretty much not supported by most current browsers unless you force it the error you see will happen (it can't negotiate any ciphers that it has in TLS, and the downgrade to SSLv3 fails).

PAN-OS 7.1 introduces a huge amount of additional ciphers within SSL forward decryption. If you are unable to upgrade to 7.1 yet, the only options would be to block the site or exclude it from your decryption policy.

Best regards,

Greg Wesson

Re: SSL Decryption

RC-BHF — Wed, 11 May 2016 08:32:43 GMT

I had a feeling it might be do with the PANOS , we run 6.1.x.

I have been holding off upgrading to 7.x since there were a lot of discussion on this forum about SSL Decryption bugs related to the PAN OS 7

Anyone else running PAN OS 6.x having these issues.

Re: SSL Decryption

iChen78 — Wed, 11 May 2016 09:29:41 GMT

We have the same issue (PAN-OS 6.1.7)

Problem statrted in the last few days, after Chrome got an update to a new version: 50.0.2661.94

I tried to create a new certificate but it didn't solve the problem.

I understand that the only way to address this issue is to upgrade to 7.1.* ?

Re: SSL Decryption

Brandon_Wertz — Wed, 11 May 2016 13:27:04 GMT

@RC-BHF as @gwesson stated it's because the PAN-OS version you're running doesn't support the cipher the website is using.

Further compounding the problem I know PAN-OS 6.X.X had a bug where allowing "unsupported ciphers" didn't matter:

(Screen shot is of 7.0.X - So formatting may be a bit off for you)

In theory you should be able to have this unchecked and the session should be allowed, but that isn't the case and the only way out is 1 of 3 options.

Turn off SSL Interception completely

Handle URLs on a case by case basis

Upgrade to 7.1.X (as 7.1.X has the huge bump in cipher support)

Back when i was running 7.0.3 we were still running into issues where unsupported ciphers still needed to be bypassed eventhough our decryption profile is built to avoid this issue.

The TAC case I had at the time the support tech said, while it *SHOULD* not be a problem they couldn't gurantee it wouldn't cause the problem.

Since we've been running 7.0.5-h2 I haven't had a single case where an unsupported cipher site needed to be bypassed. So maybe that issue has been solved.

Re: SSL Decryption

iChen78 — Wed, 18 May 2016 15:19:52 GMT

Just a quick update - we solved the problem by upgrading to 7.0.6.