topic Re: SSL Inbound Decryption Failing in General Topics

SSL Inbound Decryption Failing

RyanJohnstone1144 — Tue, 09 Feb 2021 15:28:27 GMT

hello, we are setting up SSL Inspection for inbound traffic but it is failing when clients try to access, we are getting unsupported protocol errors. ssl labs shows the following issues around handshaking.

with SSL Inspection off we do not see these errors

can anyone advise what we can do to address this? we are running PAN OS 9.0

Thanks

Ryan

Re: SSL Inbound Decryption Failing

BPry — Wed, 10 Feb 2021 22:54:41 GMT

@RyanJohnstone1144,

Mismatched or unsupported ciphers are the cause of 99.9% of these issues. Verify that all of the ciphers used by the server are actually supported by the firewall and that only supported ciphers are being utilized. If you have ciphers checked on your decryption profile that the server doesn't support, or ciphers on the server that the firewall doesn't support, it's not able to proxy that connection properly.

Re: SSL Inbound Decryption Failing

RyanJohnstone1144 — Fri, 12 Feb 2021 10:52:23 GMT

Thanks for the reply.

looks like issue is to do with EC x25519 being used by our server. i see this is supported on PAN OS 10 with TLS1.3 and is NIST approved.

Do you know if support for this will be added to PAN OS 9.0? i am reluctant to ask our server team to disable x25519 across our server estate or move up to 10.0 at this current time.

Thanks

Ryan