topic SSL Decryption for Chrome Browser in General Topics

SSL Decryption for Chrome Browser

Farzana — Fri, 14 Jul 2017 04:41:09 GMT

Hello,

Below is our Decryption Policy. Using latest Chrome version.

Security certificate used by the Palo is from the Windows domain PKI and is already implicitly trusted as this testing is from a domain connected Windows 10 device over Ethernet.

It is working fine for IE but in Chrome it is showing like this:

If I set the URL Category of Computers and Internet information to no-decrypt the error stops for this web site but continues for others, including the main Palo support pages.

Any idea how to stop this?

Re: SSL Decryption for Chrome Browser

MohamedSharief — Tue, 25 Jul 2017 08:10:19 GMT

Hi,

Are you getting any decrypt-error end reason in traffic logs?

Can you use the service in the Security Rule as 'any' (in case you are using application-default).

Also you may block quic application as its mainly used by Chrome.

Regards,

Sharief

Re: SSL Decryption for Chrome Browser

Farzana — Tue, 25 Jul 2017 22:48:37 GMT

Thanks M.

We noticed that if the certificate used for forward proxy SSL is not SHA 256 then the Google Chrome browser will not behave. Our Windows PKI is still producing SHA 1 certificates and would need to be updated to be of any use for issuing these certs to the Palo.

Once the SHA 256 cert generated from the Palo is imported to the test PC’s then Google Chrome immediately sees it in the store and is happy to use this for SSL inspection. A SHA1 cert from our Windows PKI does not show up in Chrome and is ignored for SSL decryption, which was the start of this issue.

It would seem that Google is on the fast track to make SHA 1 a bit of history, while IE11 is still happy to use SHA1 for security.