Facebook is not displaying its page/images properly when SSL Decryption is enabled

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Facebook is not displaying its page/images properly when SSL Decryption is enabled

L0 Member

Facebook is not displaying its page/images properly when SSL Decryption is enabled

any ideas why ?

*Note: I have a rule allowing ANY destination with ANY application with ANY service, also another rule i tried was with ANY destination with Explicitly allowing all facebook applications on service ANY, and yet it didn't work.

My SSL Forward certificate is 1024-bit sha-1

pa-ssl-decryption.jpg

7 REPLIES 7

L5 Sessionator

Are you using any URL categories in the decrypt rule.

How abt using IE/Chrome?

L3 Networker

A lot of sites like this don't like you to have a SSL decrypt rule in place. I have had the same problem with Dropbox and in the end I had to put a no-decrypt rule in specifically for the people who use that service.

Basically, the site is saying that it doesn't like you doing something in the middle of the transmitting, like SSL decryption. Those sites will generally give you a reduced webpage much like what your screenshot showed.

Try going to your Decryption rules and adding one that says, Any source, any destination, URL category as only Facebook, no decrypt and ssl-forward Proxy. If that works you may want to restrict it down to specific sources or specific destination zone. 

Ehm woot?

The reason the dropbox client doesnt work is that the dropbox client has a hardcoded ssl cert that if this doesnt match (as when ssl decryption is in progress) the client refuse to connect - same goes with windowsupdate (that is the client - not when used through webbrowser) for that matter.

However the dropbox through webbrowser will still work even if you do ssl decryption.

Regarding facebook you should check your browser that the facebook server cert isnt already preloaded. I think both firefox and google chrome started to do something like that last year or so.

What you then need to do, except adding the cert used to create these MITM ssl certs as a trusted CA, is to clear any preloaded server certs regarding facebook.

Also note that facebook uses various CDN which also must be reachable by the client.

Except for this - how is your ssl decrypt rule setup?

No. I have a rule that says Decrypt all sites. Unless I have another rule in saying no-decrypt on dropbox then the website does not work. Gives an SSL error.

I know about the Dropbox client and the hardcoded SSl cert as I had to change that to get it to work, but this is a website both ksabry and I are talking about, not any client software. And in these cases if you have a decrypt all sites rule in place, then you would need a no-decrypt rule for certain sites. Such as banking sites for instance. They don't like it when you decrypt their traffic before it gets to the end point and will not allow you to log on.

Unless the bank uses a client cert (which very few does) - how would the bank be able to detect that the ssl traffic is being intercepted at the client end according to you ?

Regarding the Facebook problem - verify if they only accept TLS 1.1 or newer? If so then PA might lack support to handle TLS 1.1 and newer ssl based communication.

Well perhaps I should have quantified that statement a little bit. OUR banking sites don't like it when the traffic is decrypted before getting to the end point. And yes, ours does use Cert. We have a card reader that we have to pull the certs from a card they send us to get it to all work properly. But that is getting a bit off topic.

All I was suggesting is to try a no-decrypt rule to see if that allows him through as that is what worked for me in other cases. Not facebook though as we block that across the board.

L0 Member

Thanks , &

I specified in my decryption rule to match on all categories (I added them all explicitly)

I tried with IE, Chrome & Firefox and seems that the problem is with Firefox only!

  • 5754 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!