"decrypt-unsupport-param" error on Inbound SSL Decryption

Reply
Highlighted
L3 Networker

"decrypt-unsupport-param" error on Inbound SSL Decryption

I am trying to get inbound SSL decryption for our web server. I imported our web server's SSL certificate with private key to the Palo. It shows "Valid" and the "private key" checkbox is checked.

 

But the log shows it is not getting decrypted, and I'm seeing the session end "decrypt-unsupport-param" .

 

The certificate is signed by a CA, 2048-bit, SHA256

Tags (3)
L7 Applicator

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

Hello,

According to the documetnation, here is what it means:

 

The session used an unsupported protocol version, cipher, or SSH algorithm. This session end reason is also displayed when the session produced a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/networking-features/ssl-ss...

 

I however do not know howto resolve it. I'm sure a ticket into TAC could be a quicker answer?

 

Hope this helps.

kdd
L4 Transporter

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

Hi,

 

please take a look at "objects > decryption profile" and here the default profil or the your own configured profile. Take the tab "SSL-Decryption " and then "SSL Protocol Settings". Now you can choose the Protocol Version, Key Exchange Algorithms, Encryption Algorithms and Authentication Algorithms. Hope this helps.

 

Regards,

Klaus

L3 Networker

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

Ok, I checked the decryption profile, and the default already has every option checked. Seems to be some other issue then

kdd
L4 Transporter

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

hi,

i think it is nessesary to debug. Maybe the it is an unsupport cipher.

 

Regards,

Klaus

 

kdd
L4 Transporter

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

another thing is to check the decryption policy for right Decryption Profil ...

L3 Networker

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

It's a basic certificate aquired from Digicert.com. When I look at the certificate itself, it says its RSA SHA256, 2048-bit. But I don't see where it says the encryption algorithm, though (like AES-128CBC or AES-256GCM). I will ask the CA vendor

kdd
L4 Transporter

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

please check that the digicert-certificate is among the certificate authorities. this is necessary for trusted relationship and this to decrypt.

kdd
L4 Transporter

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

take a look on the picture i think it is the DHE or ECDHE. Both are support but not for the inbound direction. Just for SSL Forward Proxy.

kdd
L4 Transporter

Re: "decrypt-unsupport-param" error on Inbound SSL Decryption

Both algorithms (DHE and ECDHE) are only support for SSL Forward Proxy. Not for inbound direction. Take a look at the photo.

 

 

algo.PNG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!