topic Re: Decryption with Wildcard SSL-certificate? in General Topics

Decryption with Wildcard SSL-certificate?

pivvre — Wed, 19 Sep 2018 06:43:26 GMT

Does Palo Alto support decryption with Wildcard SSL-cert?

Ref.:
In order to determine if a connection needs to be decrypted or not, the firewall relies on the (CN) common name configured within the certificate and compares that to the security policy. ( https://live.paloaltonetworks.com/t5/Management-Articles/SSL-Decryption-Rules-Not-Matching-FQDN/ta-p/62199 )

Re: Decryption with Wildcard SSL-certificate?

markus_w — Wed, 19 Sep 2018 11:57:23 GMT

Inbound or outbound decryption?

Re: Decryption with Wildcard SSL-certificate?

pivvre — Wed, 19 Sep 2018 12:03:10 GMT

Hi, for outbound decryption

Re: Decryption with Wildcard SSL-certificate?

markus_w — Wed, 19 Sep 2018 14:50:40 GMT

is it possible to tell me the url? and which one do you want to decrypt or not to decrypt?

short answer: it will decrpyt. but if you want to exclude a specific host / subdomain, there could be a problem. you also need to look at the decryption rule.

Re: Decryption with Wildcard SSL-certificate?

Remo — Wed, 19 Sep 2018 16:17:41 GMT

@pivvre

The firewall does not only rely on the CM in order to decide if the connection needs to be decrypted. In most connections (everything from a browser that is not older than about 4 years) the TLS handshake client hello packet contains the Server Name Indicator extension. In this field the client specifies the required FQDN and this is also checked by the firewall. So even the server has a wildcard cert the exclusion can normally still be configured with the FQDN - if the client sends a handshake packet WITH this extension.

Re: Decryption with Wildcard SSL-certificate?

pivvre — Thu, 20 Sep 2018 05:57:33 GMT

There are no external URL, this is between two internal zones.
Problem is we are not able to decrypt the traffic using our own wildcard SSL-certificate..

Re: Decryption with Wildcard SSL-certificate?

Remo — Thu, 20 Sep 2018 07:50:58 GMT

@pivvre

If you try to use a wildcard cert AS decryption cert -> this is not gonna work. You need to either configure a CA certificate or use inbound decryption if you are only talking about one or a few servers.

Re: Decryption with Wildcard SSL-certificate?

markus_w — Thu, 20 Sep 2018 09:28:56 GMT

@pivvre

ok maybe i dont get it. you talking about outbound decryption, but between two internal zones?

can you tell me where is the wildcard certificate installed? on the server you which to connect to, right?

if so, this normally could be possible to decrypt if:

- you have an ca certifiacte installed and checked it under certificates as your trusted forward certificate (as vsys_remo mentioned)

- you have an adequate decprytion rule for your "outbound" connection, where "outbound" means from one zone to the other

- the server is using a protocol (no proprietary encryption) and cipher suite which is supported by your PANOS Version
(https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites)

Re: Decryption with Wildcard SSL-certificate?

pivvre — Mon, 01 Oct 2018 07:41:22 GMT

Sorry guys - I gave an wrong answer earlier on, this is for inbound sessjons, not outbound...

Re: Decryption with Wildcard SSL-certificate?

markus_w — Mon, 01 Oct 2018 08:10:51 GMT

Ahhh, ok. For inbound i think it will work. I can check it on a Lab Unit the next days if you want?

Re: Decryption with Wildcard SSL-certificate?

pivvre — Mon, 01 Oct 2018 09:15:28 GMT

Problem is - we can't make it work....
So if anyone have a better description than the whitepaper, that would be a good start for me

Re: Decryption with Wildcard SSL-certificate?

markus_w — Mon, 01 Oct 2018 10:21:21 GMT

And you are sure, that your server didn't use any unsupported ciphers??

Check it here: https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites

And check it on your servers or the best way is to take a packet capture and analyse the ssl handshake to see if there are any unsupported ciphers in use.

For a quick check use the global counters. Here is an article that maybe help:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle3CAC

Re: Decryption with Wildcard SSL-certificate?

gwesson — Mon, 01 Oct 2018 22:45:44 GMT

"Problem is - we can't make it work...."

If you can supply any more details than that, it would be very helpful.

What isn't working?

Can you not assign the certificate to the decryption rule?

Did you import the private key when you imported your wildcard?

Does everything appear correctly but the traffic just isn't decrypted?

What PAN-OS version are you using?

Some more details will help people trying to assist. The answers to the questions above can help narrow down where to help you troubleshoot.