topic Re: Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked in General Topics

Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

bfperez — Fri, 25 Aug 2017 00:50:46 GMT

Scenario:

Decryption profile for traffic from the internet to GlobalProtect IP along with an SSL/TLS Service Profile for GlobalProtect, both set to TLS 1.1 or above; Decryption profile has 3DES unchecked.

PA-5020, 7.1.10

Scans from sites like ssllabs.com will show that 3DES is still enabled. Only changing one of the profiles to TLS 1.2 stops this.

Can be repeated with decryption profiles that inspect inbound traffic to a test server that still allows 3DES and TLS 1.1+.

Is this normal?

On a side note, anytime I change the decryption profile dropdown from TLS 1.2 to TLS 1.1 to TLS 1.0, the 3DES box is checked automatically and I have to uncheck it.

Re: Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

kiwi — Fri, 25 Aug 2017 11:53:18 GMT

Hi @bfperez,

I'd recommend opening a TAC case with the results of ssllabs.

That said, I'm seeing the same behaviour with the 3DES checkbox on both PAN-OS 7.1 and 8.0 so I'm thinking this is currenlty the expected behaviour.

Cheers !

-Kiwi.

Re: Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

Remo — Fri, 25 Aug 2017 14:24:43 GMT

Cool, it is possible to add a decryption profile to global protect traffic? On the same firewall or is this only possible if you have another PA in front of the global protect portal/gateway where you do inbound decryption?

Re: Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

bfperez — Fri, 25 Aug 2017 19:12:24 GMT

We just have an HA pair that does all inbound decryption AND houses the GP Portals and Gateways.

We have a decryption profile setup for traffic from the internet to the portals/gatways just like the decryption profiles for other inbound traffic, and it works.

Re: Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

Remo — Fri, 25 Aug 2017 20:18:32 GMT

You could try to "uncheck" 3DES from the CLI, maybe this works (if it is a bug in the webUI.

Re: Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

Remo — Sat, 26 Aug 2017 11:06:07 GMT

Besides the fact that there seems to be a bug: Is this a real problem? Wouldn't it make more sense to only enable TLS1.2 as there are almost 0 clients that stop at TLS1.1 and do not support TLS1.2

Re: Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

kiwi — Mon, 28 Aug 2017 08:37:18 GMT

Hi @bfperez @Remo,

Unchecking in the GUI seems to work fine.

The xml file will also reflect this config once it's committed :

blah { 
     ssl-protocol-settings { 
                           enc-algo-3des no; 
                           } 
     }

The problem seems to be that the GUI doesn't "retain" this setting if you return to the same tab for a second time. Notice how 3DES is re-checked even when it's not listed in the 'Encryption Algorithms'.

3DES is enabled.

If you click OK here and recommit then you might re-enable 3DES unintentionally.

Eitherway I believe it might be a good idea to get TAC involved.

Cheers !

-Kiwi.

Re: Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

bfperez — Mon, 28 Aug 2017 15:04:58 GMT

Agreed that it's not a real problem. I was just trying to move one step at a time in case we had some oddball app/user that could only do 1.1 or lower.