topic Re: SSL decryption troubleshooting in General Topics

SSL decryption troubleshooting

RobinClayton — Mon, 27 Jan 2020 10:05:23 GMT

I am trying to get SSL Forward Proxy working properly, generally it seems to be OK but I have a site I have tested

is for the bank hsbc

that gives an error..

Certificate Error

There is an issue with the SSL certificate of the server you are trying to contact.

Certificate Name:

IP: 91.214.6.22

Category: not-resolved

Issuer:

Status: unknown

Reason:

I have read this

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC

Coincidentally, the site in the help link actualy uses the exact same certificate as HSBC.

I have imported both certificates in the chain

"DigiCert High Assurance EV Root"
"DigiCert SHA2 Extended Validation Server CA"

Tried setting root and SHA2 as CA...

But the error persists for both the site I need and the site from the help document.

My forward Proxy is presently configured like.... ( I had to disable "Check Timeout" as that failed also )

[/] Block sessions with expired certificates

[/] Block sessions with untrusted issuers

[/] Block sessions with unknown certificate status

[ ] Block sessions on certificate status check timeout

[ ]Restrict certificate extensions

Cheers

Rob

Re: SSL decryption troubleshooting

jdelio — Wed, 29 Jan 2020 00:11:06 GMT

Hey there Rob @RobinClayton ,

I am sorry that you are having issues trying to decrypt that one site.. but I will state that in the normal setup for SSL Decryption, we normally exclude Banking and Medical sites to reserve privacy.

I assume that other sites work without issue?

Re: SSL decryption troubleshooting

RobinClayton — Wed, 29 Jan 2020 08:34:54 GMT

Anything on Digicert or Comodo is an issue. [at least]

I have to unset "Untrusted Issuer" & "Unknown Status" , and that's in addition to the "Check Timeout" which fails for everything.

Re: SSL decryption troubleshooting

OtakarKlier — Wed, 29 Jan 2020 16:26:30 GMT

Hello,

Are you having the PAN perform certificate checks? And is the PAN allowing that checked traffic?

Also I agree with Jdelio, its best to exclude the following to avoid issues with compliance and privacy:

banking

medical

military

government

Regards,

Re: SSL decryption troubleshooting

RobinClayton — Wed, 29 Jan 2020 16:38:30 GMT

The unit is configured to send both CRL and OSCP but I can't find where I would see this traffic. Service router does not include an option for OSCP only CRL...

This is on an 8.0 FW, but the certs are there and look to have the same time stamp.

Rob

Re: SSL decryption troubleshooting

OtakarKlier — Wed, 29 Jan 2020 16:40:19 GMT

Hello,

If the service routes are set to default, they would source from the management interface. So filter traffic from it and appropriate applications to see. Also dont decrypt this traffic :).

Regards,

Re: SSL decryption troubleshooting

RobinClayton — Wed, 29 Jan 2020 16:48:52 GMT

It was set on the MGMT interface, but I did not see any CRL/OSCP app-id traffic.

I now have it configured for CRL Service on the external interface, but that made no difference.

Re: SSL decryption troubleshooting

BPry — Wed, 29 Jan 2020 22:29:54 GMT

@RobinClayton,

Keep in mind that depending on your actual firewall configuration, you may not be recording the logs for this traffic. You'll want to ensure that you have your security rulebase and routing setup so that the firewall sees and logs this traffic. Alternatively, since you are now sourcing the traffic to from your untrust interface you can start a PCAP and look for the traffic.