I have installed SSL decryption policy, which is forward proxy, for particular users. It's working fine but some problem occurred. Korean messenger application called kakao-talk for PC is not being able to login during forward-proxy SSL decryption policy applied. So I tried to capture the PCAPs for kakao-talk login function and they were using that TLS version 1.1 and Ciper Suite : TLS_RSA_WITH_AES_256_CBC_SHA (0x0035).
I could not find that any document for unsupported cipher suite for forward proxy (outbound SSL decryption). My question is PAN could not support cipher suite, TLS_RSA_WITH_AES_256_CBC_SHA? How do I bypass for the unsupported cipher suite for outbound SSL decryption? I tried to create a decryption profile that not to enable any block policy but it could not be bypassed and kakao-talk was not able to login.
Please let me know what is unsupported cipher suite for outbound SSL decryption and how can I bypass for unsupported outbound SSL decryption traffic.
Thanks in advance.
Solved! Go to Solution.
Do you have decryption profile assigned to the decryption policy ( Options Tab in the policy ) . If so, can you verify if the "Block sessions with unsupported cipher suites" is selected and disable it and try again ? You can define what should be blocked or not blocked for the Unsupported Modes in the decryption profile
Thanks for interesting my question.
Yes, The decryption profile assigned to the decryption policy and I disabled the option "Block sessions with unsupported cipher suites" but it's not working to login for kakao-talk application.
For SSL decryption, we only support SSLv3, TLSv1.0, and TLSv1.1 (TLSv1.2 will be downgraded in forward-proxy mode as of 4.1.9 and 5.0.0)
Supported cipher suits:
Hope this helps.
Thanks for giving information :smileyhappy:. It's a strongly needed information.
But I have question remaining is how do I bypass the unsupported SSL traffic such as a SSL with using unsupported cipher-suite.
Should I not assign the SSL decryption profile that makes bypass the unsupported SSL traffic? or how?
I tried to find that URL for SSL handshaking but could not find. I believe that Ciper Suite : TLS_RSA_WITH_AES_256_CBC_SHA makes hiding URL for SSL handshaking, right? I am not sure.
If I found that URL for SSL handshaking and recognizing URLs of SSL by PAN, I could make a no-decrypt rule but now I cannot do.
First of all, we can't decrypt where diffie hellman is used in the key establishment. SSL traffic will be encrypted, so we can not see the original URL on the URL logs. URL logs will give us the certificate name. If you have that Destination IP address, you can create a No-Decryption policy for that specific destination ( top of the policy table).
Thanks for giving a information. Finally I created a no-decrypted rule with destination address and it's working fine.
Have a nice day.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!