Facebook is not displaying its page/images properly when SSL Decryption is enabled

Reply
Highlighted
Not applicable

Facebook is not displaying its page/images properly when SSL Decryption is enabled

Facebook is not displaying its page/images properly when SSL Decryption is enabled

any ideas why ?

*Note: I have a rule allowing ANY destination with ANY application with ANY service, also another rule i tried was with ANY destination with Explicitly allowing all facebook applications on service ANY, and yet it didn't work.

My SSL Forward certificate is 1024-bit sha-1

pa-ssl-decryption.jpg

Tags (2)
Highlighted
L5 Sessionator

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

Are you using any URL categories in the decrypt rule.

How abt using IE/Chrome?

Highlighted
L3 Networker

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

A lot of sites like this don't like you to have a SSL decrypt rule in place. I have had the same problem with Dropbox and in the end I had to put a no-decrypt rule in specifically for the people who use that service.

Basically, the site is saying that it doesn't like you doing something in the middle of the transmitting, like SSL decryption. Those sites will generally give you a reduced webpage much like what your screenshot showed.

Try going to your Decryption rules and adding one that says, Any source, any destination, URL category as only Facebook, no decrypt and ssl-forward Proxy. If that works you may want to restrict it down to specific sources or specific destination zone. 

Highlighted
L6 Presenter

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

Ehm woot?

The reason the dropbox client doesnt work is that the dropbox client has a hardcoded ssl cert that if this doesnt match (as when ssl decryption is in progress) the client refuse to connect - same goes with windowsupdate (that is the client - not when used through webbrowser) for that matter.

However the dropbox through webbrowser will still work even if you do ssl decryption.

Regarding facebook you should check your browser that the facebook server cert isnt already preloaded. I think both firefox and google chrome started to do something like that last year or so.

What you then need to do, except adding the cert used to create these MITM ssl certs as a trusted CA, is to clear any preloaded server certs regarding facebook.

Also note that facebook uses various CDN which also must be reachable by the client.

Except for this - how is your ssl decrypt rule setup?

Highlighted
L3 Networker

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

No. I have a rule that says Decrypt all sites. Unless I have another rule in saying no-decrypt on dropbox then the website does not work. Gives an SSL error.

I know about the Dropbox client and the hardcoded SSl cert as I had to change that to get it to work, but this is a website both ksabry and I are talking about, not any client software. And in these cases if you have a decrypt all sites rule in place, then you would need a no-decrypt rule for certain sites. Such as banking sites for instance. They don't like it when you decrypt their traffic before it gets to the end point and will not allow you to log on.

Highlighted
L6 Presenter

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

Unless the bank uses a client cert (which very few does) - how would the bank be able to detect that the ssl traffic is being intercepted at the client end according to you ?

Regarding the Facebook problem - verify if they only accept TLS 1.1 or newer? If so then PA might lack support to handle TLS 1.1 and newer ssl based communication.

Highlighted
L3 Networker

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

Well perhaps I should have quantified that statement a little bit. OUR banking sites don't like it when the traffic is decrypted before getting to the end point. And yes, ours does use Cert. We have a card reader that we have to pull the certs from a card they send us to get it to all work properly. But that is getting a bit off topic.

All I was suggesting is to try a no-decrypt rule to see if that allows him through as that is what worked for me in other cases. Not facebook though as we block that across the board.

Not applicable

Re: Facebook is not displaying its page/images properly when SSL Decryption is enabled

Thanks , &

I specified in my decryption rule to match on all categories (I added them all explicitly)

I tried with IE, Chrome & Firefox and seems that the problem is with Firefox only!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!