SSL Decryption issue (wrong certificate)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption issue (wrong certificate)

L6 Presenter

Hi All,

 

Having SSL Decryption issue with one of the websites at the moment (https://wiki.freeradius.org/Home)

So testing without decryption and checking certs chain:

 

PA1.PNG

 

Can see root CA on Palo:

 

PA2.PNG

 

So all looks good. Implementing SSL Decryption (test version only) with two certs generated on PA one for forward trust another is for forward untrust:

 

CERTS.PNG

 

Doing a test with some websites reviewing a forward trust cert. As an example bbc.co.uk:

 

BBC.PNG

 

l didn't import cert to the test PC as want to confirm first everything is working fine.

Done another test with the websites which allow decryption all looks good correct cert is forwarded. But for the website https://wiki.freeradius.org/Home getting the wrong cert which is forward untrust:

 

PA3.PNG

 

Don't know why. Cache is cleared, and the new cert is recreated for untrust but still the same. 

 

PA-5050 Active/Active PAN-OS 7.1.5

 

Am l missing something simple?

 

Regards,

Myky

2 accepted solutions

Accepted Solutions

L3 Networker

L7 Applicator

I'm not certain, but this might be caused by an incomplete certificate chain (per ssllabs.com):

 

cert.png

 

The traffic log complains about cert-validation as well:

 

traffic.png

 

 

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org

 

 

View solution in original post

13 REPLIES 13

L3 Networker

L7 Applicator

I'm not certain, but this might be caused by an incomplete certificate chain (per ssllabs.com):

 

cert.png

 

The traffic log complains about cert-validation as well:

 

traffic.png

 

 

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org

 

 

L6 Presenter

@jvalentine @Gertjan-HFG thanks all. Looks like l missing something simple. Why the web-browser is not complaining without ssl decryption in place?

Its because you use IE.

IE wil try to dowload the missing certificates in the chain.

Try firefox and it will complain.

@Gertjan-HFG ok with firefox l am not even able to open this website. Chrome also is not complaining:

 

Chrome.PNG

I am new to SSL so if you can let me know what is actually happening with the server cert l will appreciate:0

 

Thx,

Myky

Its not a problem of the PA or your decryption settings.

 

The website certificate is incorrect configured, the intermediate certificates are missing.

Thats why the PA sends the "not trusted" certificate to your browser.

Hi @Gertjan-HFG

 

Ok cool as you said before IE and Chrome will ignore this, right? As long as it has a root CA.

 

Thx,

Myky

Yes,  Chrome(uses the windows cert store) and IE will try to download the intermediate certs as long as they have a valid root CA in their certificate store.

Cool l have learned something new today. Thanks/ Last thing Do you have any good article explaining this?

 

Thx,

Myky

Your welcome.

I don't have documentation on this issue specific.  ( its all in my head 😉 )

L6 Presenter

To fix the issue for this particular website l did import a COMODORSADomainValidationSecureServerCA.crt to the box:

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Import-the-Intermediate-CA-on-the-Fi...

 

 

In my opinion is importing the intermediate certificate in this situation wrong.

The behaviour was as expected and correct.

 

With this "fix", you are covering a warning that the site is misconfigured.

I do agree with you as really it is a  "masquerading" of the problem. 

  • 2 accepted solutions
  • 6650 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!