topic Re: SSL Decryption in General Topics

SSL Decryption

SERMA-NES — Mon, 10 Jul 2017 15:38:54 GMT

Hello,

I have a PA-VM running on a ESX server.

I want to set up SSL Decryption on it using a SUBCA certificate chain signed by a PKI (windows server).

I check boxes "Forward to trust/untrusted certifcate"

I export the SUBCA to store it on a client machine (to avoid warning message)

The network is OK

The policy is Any any permit

The SSL decryption policy is set up to decrypt everything

The main issue is the Following :

On the client machine, I not allowed to reach any website using HTTPS, the brower is telling me that the connection has been reset... whatever the browser (chrome, IE etc)

I can't find anything to solve my issue...

Thanks in advance

Regards

Re: SSL Decryption

BPry — Mon, 10 Jul 2017 16:22:36 GMT

It doesn't sound like SSL decryption was setup properly. Did you follow any of the guides when you were setting this up? Generally you should at least be getting a message about the certificate not being trusted. I would personally delete the setup that you have currently and follow the guide found here to verify that everything is setup correctly.

https://live.paloaltonetworks.com/t5/Tutorials/How-to-Configure-SSL-Decryption/ta-p/65073#TopicC

Re: SSL Decryption

TranceforLife — Mon, 10 Jul 2017 16:23:15 GMT

The traffic logs session end reason? What can you see there?

Re: SSL Decryption

SERMA-NES — Tue, 11 Jul 2017 13:10:01 GMT

Thanks for your answers.

I followed several guides to set up SSL Decryption (including the one you provide).

192.168.116.191 is the internal IP (default gateway of the users)

I configure it again, using self certifcate, the problem is still there...

Re: SSL Decryption

TranceforLife — Tue, 11 Jul 2017 13:32:40 GMT

Hi,

try to open VMware website:

https://www.vmware.com

Most likely it is all due to HTTP Public Key Pinning:

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

https://androidtechieblog.wordpress.com/2016/07/21/ssl-pinning-to-prevent-a-man-in-the-middle-mitm-attack-on-androidios-application-part-1/

Re: SSL Decryption

SERMA-NES — Tue, 11 Jul 2017 13:57:52 GMT

I can't access to https://www.vmware.com too 😞

For your information, I try to set up SSL Decryption on a new PA-820 PANOS8.0, with the same configuration, the problem is the same...

What should I do to make it functionnal ?

Re: SSL Decryption

TranceforLife — Tue, 11 Jul 2017 14:08:39 GMT

Did you actually click on the "confirm security exception" button?

Re: SSL Decryption

SERMA-NES — Tue, 11 Jul 2017 14:14:09 GMT

Yes I did 🙂

I very surprised about this issue... the configuration is pretty simple but the troubleshooting is not so easy

Re: SSL Decryption

TranceforLife — Tue, 11 Jul 2017 14:16:35 GMT

Yeah, the only one thing l have different is on my SSL self gen cert l have CN as a name, not ip. Can you test with self-signed certs?

Re: SSL Decryption

SERMA-NES — Tue, 11 Jul 2017 14:28:23 GMT

Yeah I have tested with self signed certificate, please refer to my previous post (screenshots have been posted)

CN or IP doesn't matter... right ?

Re: SSL Decryption

TranceforLife — Tue, 11 Jul 2017 14:49:47 GMT

Ohh, blind me :D. Should not really in our case.

EDIT: FYI

Re: SSL Decryption

BPry — Tue, 11 Jul 2017 14:52:21 GMT

@SERMA-NES,

Stupid question but did you actually import the cert onto the local machine, it doesn't look like you did and if you are utilizing a self sign then you need to accept the cert that you are using to actively decrypt the traffic. From your provided screenshots it doesn't look like this is actually done which would cause a hole heap of security errors from pretty much any browser.

Re: SSL Decryption

SERMA-NES — Tue, 11 Jul 2017 15:17:27 GMT

I didn't import it during my first screenshots, but I did it after, the problem is still here.

With the certificat in the client's store, I don't have anymore warnings from the browser, but directly the "reset" message.

I have the same certificate when I try to reach VMWARE website :

Re: SSL Decryption

TranceforLife — Tue, 11 Jul 2017 15:19:32 GMT

Miracle. What can you see in the traffic logs (session-end reason)?

Re: SSL Decryption

SERMA-NES — Wed, 12 Jul 2017 09:33:51 GMT

hello,

tcp reset from client...

I downgrade PANOS to 7.1.0 and now, the browser try to reach the website (perpetualy) but this time without Reset message

Re: SSL Decryption

it-thomas — Wed, 12 Jul 2017 15:18:53 GMT

You need to do a packet capture on the client system and see what is going on. With that you will likely be able to find out why the client is terminating the session.

You may also want to try Chrome on your Ubuntu machine, or another operating system all together.

Re: SSL Decryption

BPry — Wed, 12 Jul 2017 18:05:49 GMT

@SERMA-NES,

I agree with @it-thomas, the client is clearly resetting the traffic.

What we know (or think we know)

- Traffic is being reset by the client, so it's not specifically a decryption issue.

- The client believes the cert is not valid, which would be common for self-signed certs as you need to import the cert which you have.

- The issue persists even if you move off of 8.0

I would try this on Chrome and see where that gets you, I would also try this on a Windows machine with Internet Explorer or Edge as they are less prone to trigger on security issues.

Re: SSL Decryption

it-thomas — Wed, 12 Jul 2017 20:40:57 GMT

@BPry

"try this on a Windows machine with Internet Explorer or Edge as they are less prone to trigger on security issues. "

That statement is funny because it is true.

Remember for certs it checks 3 things, if any of those things fail it doesnt play well:

-Who you are

-- i.e. does the cert match the website, if it doesnt it will fail

-When you are good

-- outside of the valid cert period it will fail

-Who says I can trust you

-- If your root CA is not trusted, it will not trust anything below it in the chain. That being said, make sure that you import the Root CA into the correct spot in your browser or it will fail.

It is possible that your TCP and/or SSL handshakes are getting all buggered up due to issues with your cer/decrypt. In turn your client is killing the connection since it doesn't trust it. The packet capture will tell you all of that information and help you pin down the failure point.

This also hasnt been asked yet, is HTTP working correctly?

http://www.bing.com

https://www.bing.com

Re: SSL Decryption

mgarg — Fri, 14 Jul 2017 02:49:41 GMT

Try taking a simultaneous pcap on the ubuntu box and the firewall and compare them if the client generates a rst packet

Move over you can take the global counters during the test

In the command line run show counter global filter packet-filter yes delta

Just make sure your filters are setup to include only the source machine from where you are testing.

If you can please share the output of counters

Re: SSL Decryption

SERMA-NES — Fri, 25 Aug 2017 15:20:22 GMT

Hello,

Thanks everybody for your implication.

I solved my issue several weeks ago : Since PANOS 7, to make SSL decryption works, we have to configure "Any" on the service column and not "application default" on our policy

It works fine now !