topic Re: SSL inspection decrypt error from some client in General Topics

SSL inspection decrypt error from some client

adalfarra — Mon, 06 Jul 2020 07:33:11 GMT

Hello to all,

We have a linux website that we made working with inbound ssl inspection by disabling curve25519 / x25519.

Some clients report errors ( always showing as decrypt errors on the monitoring) accessing the site: by taking a networrk trace on the firewall side it seems like all the client are trying to negotiate TLS V1.

If I try with the same combination of browser (Edge legacy and cromium version) and S.O (windows 10 1903) I am able to reach the sites and in the trace i see that the correct version (TLS 1.3) is negotiated between the client and the palo alto.

Off course if I disable the inspectio all goes fine. Anyone have any hints or suggestion?

thanks

Re: SSL inspection decrypt error from some client

OtakarKlier — Mon, 06 Jul 2020 20:42:37 GMT

Hello,

The client needs to trust the certificate. I would say use a public certificate and or have the client install the root cert that is being used.

Regards,

Re: SSL inspection decrypt error from some client

BPry — Tue, 07 Jul 2020 02:45:18 GMT

@adalfarra,

Do you have TLS1.0 enabled on your inbound decryption profile? Best practice would be that this would be disabled if it isn't required, which would cause your decryption issues.

Re: SSL inspection decrypt error from some client

adalfarra — Tue, 07 Jul 2020 04:05:26 GMT

@BPry

the profile only permits TLS 1.2 and above, also the certificate is public

thanks

Re: SSL inspection decrypt error from some client

BPry — Tue, 07 Jul 2020 14:21:46 GMT

@adalfarra,

So the one thing to keep in mind here is that clients don't have to support set versions of TLS. You could easily be seeing scanning traffic that is only using TLS 1.0 or TLS1.1. You've verified that the site in question works correctly when you access the connection with TLS1.2+ enabled, so now the real question is why the client isn't at least supporting TLS1.2+?

This is where you kind of have to work with someone reporting the issue to see if their browser and computer are actually setup to utilize TLS1.2. If they are not, you essentially can only ask anyone running into the issue to migrate to allowing TLS1.2 or modify your profile to allow TLS1.0 and TLS1.1. Personally I would be telling the client they need to support current security standards, but that may not work with your organization.

Re: SSL inspection decrypt error from some client

adalfarra — Tue, 07 Jul 2020 15:19:59 GMT

@BPry

The client combination is edge and explorer on windows above version 1903.

The site without the inspection only offers TLS1.2 and above and is working fine. The problem for me occurs only when we activate the inbound inspection at the palo alto side