SSL decryption issues with latest Firefox

Reply
Highlighted
L4 Transporter

SSL decryption issues with latest Firefox

I'm having SSL decryption issues with the latest versions of Firefox.

In Firefox i get following error when visiting a https site:

Secure Connection Failed

An error occurred during a connection to live.paloaltonetworks.com. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.

Seems to be related to how Firefox handles certificates, requiring them to be more secure (number of bits and encryption algorithm), but I haven't found the exact requirements yet.

I can generate and deploy a new certificate, but I'm not sure what will give me one Firefox will accept.

Any thoughts ?

Tags (2)
L4 Transporter

Re: SSL decryption issues with latest Firefox

Also seems related to the Issuer CN in the certificate (see 1153204 – Firefox doesn't connect to https://www.deutschepost.de/ because its issuer certificate con... )

In our case it contains the IP adres of the firewall, where Firefox seems to expect a dns name.

I have not been able to confirm this yet...

L4 Transporter

Re: SSL decryption issues with latest Firefox

Does this happen with all https URLs?

L4 Transporter

Re: SSL decryption issues with latest Firefox

All url categories that require decryption, yes. So the error definitely relates to the decryption certificate (and not the websites I'm trying to visit).

L1 Bithead

Re: SSL decryption issues with latest Firefox

Hi Dieterb,

was your issue solved? if not, would be useful if you can write the Firefox version and the CA certificate information.

regards,

L4 Transporter

Re: SSL decryption issues with latest Firefox

Firefox 38.

Firefox 37 and earlier are not affected.

I have not tried a newer beta yet.

Certificate is one generated with PA. It only contains a handful of default attributes (organization, email ...).

Replacing the IP with a valid dns entry did not resolve the issue.

One would call it a Firefox issue... But I guess it's the way the PA generates the certificate. Would be good to know if this issue is resolved with newer PANOS version or to have a workaround.

Community Team Member

Re: SSL decryption issues with latest Firefox

What version of Pan-OS are you using?

Also, does Chrome or Internet Explorer show the same error while the firewall is attempting to decrypt it?

Stay Secure,
Joe
End of line
Not applicable

Re: SSL decryption issues with latest Firefox

It doesn't seem to affect IE or Chrome, but as of Firefox 38.01 we are also seeing the issue. Specifically for us its affecting https://accounts.google.com.

https://bugzilla.mozilla.org/show_bug.cgi?id=1148766

L4 Transporter

Re: SSL decryption issues with latest Firefox

We are on 5.0.11

Community Team Member

Re: SSL decryption issues with latest Firefox

I bet you are correct, that this is happening due to Firefox handing the security/certificates differently than IE and Chrome.

This also has to deal with how PAN is decrypting and encrypting the traffic differently than what Firefox is expecting, thus causing this issue.

I would recommend opening a case with TAC - PAN Support, if you do not already have one to get this addressed.

Stay Secure,
Joe
End of line
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!