PANOS 8.0.7 SSL inbound inspection affects SSLLabs scroe

Reply
L2 Linker

PANOS 8.0.7 SSL inbound inspection affects SSLLabs scroe

Hi,

 

When we do SSL inbound inspection for some of our web servers, SSLLabs test scores goes from A+ to B. I also tested with "openssl s_client -connect mailadmin.artvin.edu.tr:443 -showcerts" and it show the same problem. The problem is, when doing ssl inbound inspection, both SSLLabs test and openssl test shows "Secure Renegotiation IS NOT supported" and intermediate server certificate absent. But our web server sends the intermediate ssl certificate to client and it also supports  "Secure Renegotiation". If I disable SSL inbound inspection both tests gives the expected results.

 

Here are openssl test results, inspection off and on:

 

[root@syslog ~]# openssl s_client -connect mailadmin.artvin.edu.tr:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018
verify return:1
depth=0 C = TR, L = Artvin, O = Artvin Coruh Universitesi, OU = Bilgi Islem Daire Baskanligi, CN = *.artvin.edu.tr
verify return:1
---
Certificate chain
 0 s:/C=TR/L=Artvin/O=Artvin Coruh Universitesi/OU=Bilgi Islem Daire Baskanligi/CN=*.artvin.edu.tr
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
-----BEGIN CERTIFICATE-----
MIIFEDCCA/igAwIBAgIQBV6izOXvOW8h2GmaiOMuYjANBgkqhkiG9w0BAQsFADBc
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJUaGF3dGUgUlNBIENBIDIwMTgwHhcN
MTcxMjI5MDAwMDAwWhcNMTkwMTE2MTIwMDAwWjCBgzELMAkGA1UEBhMCVFIxDzAN
BgNVBAcTBkFydHZpbjEiMCAGA1UEChMZQXJ0dmluIENvcnVoIFVuaXZlcnNpdGVz
aTElMCMGA1UECxMcQmlsZ2kgSXNsZW0gRGFpcmUgQmFza2FubGlnaTEYMBYGA1UE
AwwPKi5hcnR2aW4uZWR1LnRyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqvvAQ9twxg2vtVWteOCYdG+MZ2d28ncsrd4Tl6PGUIt4MvoWZXkC3QY8Vejn
4Ok/KyMBO/sQ0SGek/o3Y2lH4FD/Gtzerq121f/sxbK72SzFLMdztA4QzmOonDf5
ZMeY1ea3Brphc6D6UcskM4iAzVRuvt1xjhCMkfz1/wEIHaQ8LI2LKvgIZEL4FiF3
Bh8n5iedejYmKgV4c3aBkvuXq58I0NHONBLrpRqGpwxLUaLKGYWC+HoEePCDUtvy
UwpHNWS+3zvIvwARtva5uBxnyPujWpUGLm/CkRth8I5Bm8cjE96yj/5sn355lz7M
cW6AvN/KJZHeL7uOLULAkfmBWwIDAQABo4IBpDCCAaAwHwYDVR0jBBgwFoAUo8he
ZVTlMHjBBeoHCmpZzLn+3lowHQYDVR0OBBYEFKJPhIgUPgfAEiHLha7Kje7Mtlck
MCkGA1UdEQQiMCCCDyouYXJ0dmluLmVkdS50coINYXJ0dmluLmVkdS50cjAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDoGA1Ud
HwQzMDEwL6AtoCuGKWh0dHA6Ly9jZHAudGhhd3RlLmNvbS9UaGF3dGVSU0FDQTIw
MTguY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMG8GCCsGAQUFBwEB
BGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDkGCCsG
AQUFBzAChi1odHRwOi8vY2FjZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVJTQUNBMjAx
OC5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEACB/Q3CRhf4QxdfSh
uyM6GQunbjxP9gBKI6/gQ7TG2Ly0rQ083TKz8rissX/hUEqGs2nYrnRahC0KRCYY
XxQ6qAiyf60T7wZ2yFVXF8G/s/K6PLnlZDZ5uuBzMJenxwQV6LoKKxhTUGZuYMIb
89cZVPa2EvFiSrBWHK7LwnjYSDP28o3C2QX4oL2WNLY+t0xgd/uaslXEb7If3+3t
ddvN0exyRRHcFlINVHZsLyMmypg34F+B91BkZ2QsoIw1pVCYpzhUp7iDmGBMqOQp
GmJRaJVkeLzJzIem9bXHy0qgbvckyQxdDqO9Fg1PMfAyfYvHYLiwlQ/d0vuPVhip
pS36Pw==
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEiTCCA3GgAwIBAgIQAlqK7xlvfg1sIQSyGuZwKzANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMDYxMjIzNTJaFw0yNzExMDYxMjIzNTJaMFwxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xGzAZBgNVBAMTElRoYXd0ZSBSU0EgQ0EgMjAxODCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMoIXuVTipccHkMvtoqnVumLhEOorJ16VYJ6FEuGty+P
Up8cyrEgW2+6It2mnC142ukGCE6+E6bry7s+uQUMPkrh8DIfE071BsVHc4k+gKOL
8QEkm6OZZpJraK0NLbTNcqL0+ThaZaa0jFPBCBqE+P0u8xF1btxqMSmsDYfMk2B4
3yW6JlmRxoNSNabKnLgoGs7XHO4Uv3ZcZas4HnnpfMxJIyaiUlBm0Flh/6D+mkwM
n/nojt4Ji7gVwaQITCacewbb/Yp0W1h+zWOkkS9F8Ho8lAuKfLIFqWeTn2jllWNg
2FiVX+BV75OnETt85pLYZkTgq72nj82khXhBJFTn2AMCAwEAAaOCAUAwggE8MB0G
A1UdDgQWBBSjyF5lVOUweMEF6gcKalnMuf7eWjAfBgNVHSMEGDAWgBQD3lA1VtFM
u2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAm
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQgYDVR0fBDsw
OTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFs
Um9vdENBLmNybDA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzANBgkqhkiG9w0BAQsFAAOCAQEARE2F
5d0cgozhZNWokCLfdhhl6mXSOyU3SoPamYcWfLH1CzMwD8a1+pFvwHIQfvlwXFH8
MrjB3C+jVobNbVWRrgqS3Jsa0ltRH/Ffs6ZTgP4WJYm1SNpUbgR7LWUD2F+PTvKB
M/gf9eSyqP4OiJslYaa38NU1aVAxZI15o+4xX4RZMqKXIIBTG2V+oPBjQ1oPmHGA
C/yWt2eThvb8/re7OpSpUdJyfGf97XeM4PiJAl6+4HQXhjwN7ZPZKrQv9Ay33Mgm
YLVQA+x9HONZXx9vvy8pl9bu+NVYWKGxzGxBK0CBozmVUCeXQPJKPTZleYuNM18p
U1P8Xh1CDguM+ZEoew==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=TR/L=Artvin/O=Artvin Coruh Universitesi/OU=Bilgi Islem Daire Baskanligi/CN=*.artvin.edu.tr
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3159 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4E1EF676162571A8CF2832DF6F0E11B7BD727E45323796ED7587538336AE568A
    Session-ID-ctx:
    Master-Key: F727E11EDB02ACDA3D412090CF837CB1DDE501E81E635711BA5BDA8CF1C384FCCF3D45D74D4BD58E172DA932E0F0B710
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 77 50 d3 eb 5b c5 2c 47-63 62 b3 37 2a 8c 2c 4f   wP..[.,Gcb.7*.,O
    0010 - df e8 70 92 67 16 93 75-94 b6 12 e0 d4 7c a7 01   ..p.g..u.....|..
    0020 - 62 59 51 23 de a8 92 0d-90 61 d5 df da d7 ad dc   bYQ#.....a......
    0030 - da 1a 9f 3d b2 ee 3b c4-c1 1e 6a 14 98 1e fb 81   ...=..;...j.....
    0040 - 59 f3 4c 2a 24 b9 5b c8-dc 70 61 07 d4 08 6d f6   Y.L*$.[..pa...m.
    0050 - 44 af 6b ae 25 4e f6 87-30 a3 ed e9 d4 f7 02 b6   D.k.%N..0.......
    0060 - 45 51 02 d6 59 88 ec 77-fc 24 ba 91 93 a6 0e ef   EQ..Y..w.$......
    0070 - bc 95 6d b2 76 32 d4 b1-1e 9c 8a 80 2f d1 8d a6   ..m.v2....../...
    0080 - b5 85 b6 74 0c bd 72 50-d2 15 c6 8d b3 e6 b0 16   ...t..rP........
    0090 - e3 32 5c e6 1d 05 9b 0c-4e 6e 03 c5 b1 29 ad d5   .2\.....Nn...)..
    00a0 - 2a ed 56 bd e1 65 c5 c4-ee a6 8d 9e 0a 67 b5 62   *.V..e.......g.b
    00b0 - c9 3b 9a f9 40 d4 73 7f-b6 12 57 7e 09 35 fa 0a   .;..@.s...W~.5..

    Start Time: 1520404780
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

[root@syslog ~]# openssl s_client -connect mailadmin.artvin.edu.tr:443 -showcerts
CONNECTED(00000003)
depth=0 C = TR, L = Artvin, O = Artvin Coruh Universitesi, OU = Bilgi Islem Daire Baskanligi, CN = *.artvin.edu.tr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = TR, L = Artvin, O = Artvin Coruh Universitesi, OU = Bilgi Islem Daire Baskanligi, CN = *.artvin.edu.tr
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=TR/L=Artvin/O=Artvin Coruh Universitesi/OU=Bilgi Islem Daire Baskanligi/CN=*.artvin.edu.tr
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
-----BEGIN CERTIFICATE-----
MIIFEDCCA/igAwIBAgIQBV6izOXvOW8h2GmaiOMuYjANBgkqhkiG9w0BAQsFADBc
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJUaGF3dGUgUlNBIENBIDIwMTgwHhcN
MTcxMjI5MDAwMDAwWhcNMTkwMTE2MTIwMDAwWjCBgzELMAkGA1UEBhMCVFIxDzAN
BgNVBAcTBkFydHZpbjEiMCAGA1UEChMZQXJ0dmluIENvcnVoIFVuaXZlcnNpdGVz
aTElMCMGA1UECxMcQmlsZ2kgSXNsZW0gRGFpcmUgQmFza2FubGlnaTEYMBYGA1UE
AwwPKi5hcnR2aW4uZWR1LnRyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqvvAQ9twxg2vtVWteOCYdG+MZ2d28ncsrd4Tl6PGUIt4MvoWZXkC3QY8Vejn
4Ok/KyMBO/sQ0SGek/o3Y2lH4FD/Gtzerq121f/sxbK72SzFLMdztA4QzmOonDf5
ZMeY1ea3Brphc6D6UcskM4iAzVRuvt1xjhCMkfz1/wEIHaQ8LI2LKvgIZEL4FiF3
Bh8n5iedejYmKgV4c3aBkvuXq58I0NHONBLrpRqGpwxLUaLKGYWC+HoEePCDUtvy
UwpHNWS+3zvIvwARtva5uBxnyPujWpUGLm/CkRth8I5Bm8cjE96yj/5sn355lz7M
cW6AvN/KJZHeL7uOLULAkfmBWwIDAQABo4IBpDCCAaAwHwYDVR0jBBgwFoAUo8he
ZVTlMHjBBeoHCmpZzLn+3lowHQYDVR0OBBYEFKJPhIgUPgfAEiHLha7Kje7Mtlck
MCkGA1UdEQQiMCCCDyouYXJ0dmluLmVkdS50coINYXJ0dmluLmVkdS50cjAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDoGA1Ud
HwQzMDEwL6AtoCuGKWh0dHA6Ly9jZHAudGhhd3RlLmNvbS9UaGF3dGVSU0FDQTIw
MTguY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMG8GCCsGAQUFBwEB
BGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDkGCCsG
AQUFBzAChi1odHRwOi8vY2FjZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVJTQUNBMjAx
OC5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEACB/Q3CRhf4QxdfSh
uyM6GQunbjxP9gBKI6/gQ7TG2Ly0rQ083TKz8rissX/hUEqGs2nYrnRahC0KRCYY
XxQ6qAiyf60T7wZ2yFVXF8G/s/K6PLnlZDZ5uuBzMJenxwQV6LoKKxhTUGZuYMIb
89cZVPa2EvFiSrBWHK7LwnjYSDP28o3C2QX4oL2WNLY+t0xgd/uaslXEb7If3+3t
ddvN0exyRRHcFlINVHZsLyMmypg34F+B91BkZ2QsoIw1pVCYpzhUp7iDmGBMqOQp
GmJRaJVkeLzJzIem9bXHy0qgbvckyQxdDqO9Fg1PMfAyfYvHYLiwlQ/d0vuPVhip
pS36Pw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=TR/L=Artvin/O=Artvin Coruh Universitesi/OU=Bilgi Islem Daire Baskanligi/CN=*.artvin.edu.tr
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1792 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 75E71645A6DEE3E5AF5E5F02A48FBD26D8F922497A9B2C733CB6E22B32C00542
    Session-ID-ctx:
    Master-Key: ECA34D1D7520AA670597A2C6FA6454BF7F6DC2A572DF8F2FEC33CE24FBF908F4573A97CCB1F5146C2AEB24CC938B609D
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1520404564
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

As you see with inspection on servers intermediate certificate does not reach to client someway. And it shows "Secure Renegotiation IS NOT supported".

 

Can any of you test if this is reproducible on yor side?

 

Regards,

 

Rahman

L2 Linker

Re: PANOS 8.0.7 SSL inbound inspection affects SSLLabs scroe

Bump.

 

Can anybody try to reproduce this?

 

Regards,

 

Rahman

L2 Linker

Re: PANOS 8.0.7 SSL inbound inspection affects SSLLabs scroe

When import server cert - append also intermediate cert.

 

Case Secure Renegotiation

https://live.paloaltonetworks.com/t5/General-Topics/Secure-Renegotiation-IS-NOT-supported/m-p/207867

L2 Linker

Re: PANOS 8.0.7 SSL inbound inspection affects SSLLabs scroe

Should  I append intermediate certificate to server certificate file or just import it seperately to PANOS->certificates?

 

Regards,

 

Rahman

L2 Linker

Re: PANOS 8.0.7 SSL inbound inspection affects SSLLabs scroe

Importing intermediate certificate alone did not work but appending intermediate certificate directly to server certificates text file and importing server certificate and key file again to PANOS did the trick. Thanks for the hint.

 

Regards,

 

Rahman

Highlighted
L2 Linker

Re: PANOS 8.0.7 SSL inbound inspection affects SSLLabs scroe

Server cert and intermediate cert in single PEM file.

 

cert.pem file example

 

-----BEGIN CERTIFICATE-----

......

sertver cert

.......

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

......

intermediate cert1

.......

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

......

intermediate cert2

.......

-----END CERTIFICATE-----

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!