https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/305340#M79341 <P>This is odd that it would be happening with PAN-OS 9.0.5. As anything like that should have been cleared up.&nbsp;</P> <P>There was a prior discussion talking about similar things:</P> <P><A href="https://live.paloaltonetworks.com/t5/General-Topics/PA-3020-SSL-Decryption-Query/m-p/280993#M75902" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/PA-3020-SSL-Decryption-Query/m-p/280993#M75902</A></P> <P>&nbsp;</P> <P>But there is no real answer as to why..&nbsp;</P> <P>&nbsp;</P> <P>What browsers? does it matter if you use Edge, Firefox or Chrome?</P> Tue, 31 Dec 2019 23:11:43 GMT jdelio 2019-12-31T23:11:43Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/305172#M79295 <P>Hi paloalto community,</P><P>&nbsp;</P><P>I tested my new ssl decryption rules against the badssl dashboard (&nbsp;<A href="https://badssl.com/dashboard/" target="_blank">https://badssl.com/dashboard/</A>&nbsp;).</P><P>So far it looks good. Unfortunately the check for sha1-intermediate doesn’t pass. Our PA-850 (Firmware 9.0.5) does create a secure connection to this site for the client ( <A href="https://sha1-intermediate.badssl.com/" target="_blank">https://sha1-intermediate.badssl.com/</A>&nbsp;), even I configured to not support SHA1.</P><P>&nbsp;</P><P>Here is my configuration:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-12-30 14_17_20-pa-1.png" style="width: 805px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23259i0BBF98EF532491A2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2019-12-30 14_17_20-pa-1.png" alt="2019-12-30 14_17_20-pa-1.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-12-30 14_17_08-pa-1.png" style="width: 805px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23261i8D8D051CC135A36C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2019-12-30 14_17_08-pa-1.png" alt="2019-12-30 14_17_08-pa-1.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-12-30 14_16_37-pa-1.png" style="width: 803px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23260iC11977B7C7B80B2F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2019-12-30 14_16_37-pa-1.png" alt="2019-12-30 14_16_37-pa-1.png" /></span></P><P>Is there something I forgot to configure?</P><P>&nbsp;</P><P>Thanks and best regards,</P><P>Markus</P> Mon, 30 Dec 2019 13:22:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/305172#M79295 mrkskhn 2019-12-30T13:22:14Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/305340#M79341 <P>This is odd that it would be happening with PAN-OS 9.0.5. As anything like that should have been cleared up.&nbsp;</P> <P>There was a prior discussion talking about similar things:</P> <P><A href="https://live.paloaltonetworks.com/t5/General-Topics/PA-3020-SSL-Decryption-Query/m-p/280993#M75902" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/PA-3020-SSL-Decryption-Query/m-p/280993#M75902</A></P> <P>&nbsp;</P> <P>But there is no real answer as to why..&nbsp;</P> <P>&nbsp;</P> <P>What browsers? does it matter if you use Edge, Firefox or Chrome?</P> Tue, 31 Dec 2019 23:11:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/305340#M79341 jdelio 2019-12-31T23:11:43Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/305728#M79462 <P>Same with different browsers&nbsp;</P> Mon, 06 Jan 2020 08:36:47 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/305728#M79462 mrkskhn 2020-01-06T08:36:47Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/306817#M79692 <P>Some more trouble with decryption:</P><P>&nbsp;</P><P><A href="https://www.lobster.de/" target="_blank">https://www.lobster.de/</A></P><P>&nbsp;</P><P>This page gets an untrusted paloalto cert, even it's a valid certificate? Can someone confirm this on his paloalto decryption setup?</P> Wed, 15 Jan 2020 16:14:12 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/306817#M79692 mrkskhn 2020-01-15T16:14:12Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/306825#M79696 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91759">@mrkskhn</a>&nbsp;</P><P>At least this website is configured not correctly. The webserver does not send the intemediate certificate in the TLS handshake. Without this intermediate certificate the firewall cannot verify if this certificate is trusted / it is not able to check the certificate path.</P><P>You have not 3 possibilities with your current configuration:</P><OL><LI>Import the intermediate cert of this website manually onto your firewall and mark it as trusted root</LI><LI>Create a decryption rule with another decryption profile where you allow untrusted issuers and add a custom URL category to that rule where you add websites like this one</LI><LI>Try to contact the operator of the website to have them fix the issue</LI></OL><P>And yes, because paloalto firewalls don't have the intermediate certs locally the "problem" you see will be on all palo fws.</P> Wed, 15 Jan 2020 17:08:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-sha1-intermediate-certificate-gets-decrypted-even/m-p/306825#M79696 Remo 2020-01-15T17:08:40Z