SSL decrypt exclude cache and unsupported ECDHE cipher suites

Printer Friendly Page


If a website or destination only supports ECDHE SSL ciphers, then SSL decryption forward proxy will not work.

This is attributed to the unsupported ECDHE cipher suites, which is not supported for the forward proxy feature.


Let's take a look how the SSL decryption forward proxy feature handles unsupported SSL ECDHE cipher suites.

  • The client sends an SSL hello to the website or destination host. The client hello includes all the SSL cipher suites it supports, which include the ECDHE cipher suites. The Palo Alto Networks firewall intercepts the client hello packet, selects the supported ciphers from this list (removing the ECDHE ones), re-crafts the SSL client hello and proxies it to the website.
  • The website or destination host replies with an SSL HANDSHAKE failure: error code 40- unsupported ciphers, if the wesbite does not support non-ECDHE ciphers.
  • The packet containing 'SSL HANDSHAKE failure: error code 40- unsupported ciphers' is the trigger for the Palo Alto Networks firewall to know that the website or destination host does not support the proposed SSL cipher suites. The Palo Alto Networks firewall gives up decryption for this website and populates its 'ssl-decrypt exclude cache.'
  • From now on, the Palo Alto Networks firewall will not proxy any subsequent connections to this website or destination host.
  • The lifetime of the SSL decrypt exclude cache is 12 hours. It persists as long as there's no change made to the decryption policy. 
  • On collecting another packet capture on the firewall in the received and transmit stage and comparing them you can see that SSL ciphers proposed in the client hello, by the actual client machine behind the Palo Alto Networks firewall and the one relayed by the firewall are the same. Thereby SSL decryption forward proxy is bypassed.

Beginning PAN-OS 7.0.1 and onwards

SSLv3 is the minimum version of SSL protocol that is supported. It is not supported in FIPS mode though.

SSL decrypt excludes cache functions in tandem as per the configured parameters.


The server URL/IP, App and decryption profile are put in exclude cache if:
Decryption mode is SSL Forward Proxy "Block sessions with unsupported version" and "Block sessions with unsupported cipher suites" are unchecked.
The failure is because of the server side, rather than the client side.

It's either in the server hello or in an alert from the server.


For example:
PA-VM> show system setting ssl-decrypt exclude-cache

VSYS    SERVER                     APP    TIMEOUT      REASON                             DECRYPTED_APP      PROFILE
1      ssl       43186            SSL_UNSUPPORTED        undecided                    Decrypt Stream


In the above output from the command line of the Palo Alto Networks firewall:
VSYS: 1 is the id of the default virtual system 1 (vsys1)
SERVER: is the IP address of the website / destination host

APP: ssl, reflects the ssl application 

TIMEOUT: 43186 is the lifetime of the cached entry in seconds. The maximum cache lifetime is 12 hours or 43200 secs
REASON--SSL_UNSUPPORTED: implies unsupported ssl cipher suites and hence an entry in the exclude cache
DECRYPTED_APP: undecided, as the website wasn't decrypted so the firewall doesn't know the underlying application 

PROFILE: Decrypt Stream is the name of the decryption profile, which is referenced in the ssl decryption policy.


The cache can be cleared using the following CLI options:
PA-VM> debug dataplane reset ssl-decrypt exclude-cache
+ application       application
+ server server   address and port
For example: debug dataplane reset ssl-decrypt exclude-cache application ssl server


Please refer to the PAN-OS new features guide for the enhancements made to SSL decryption feature for more information.
New Features Guide


Read this article for more information about unsupported ssl cipher suits:

Unsupported SSL cipher suites for Decryption


For those of us using IPS/IDS Antimalware, Antivirus, application blocking and other features in PANOS, this issue is a very big deal.


Many of the CDNs are switching to protocol cipher suites which PANOS 6 and 7 do not support.   For example, visit SSL Labs and scan code <dot> jquery <dot> com.   This is served by MaxCDN.  Currently, only cipher suites that PANOS does not support are enabled.  Also, TLS_FALLBACK_SCSV is configured.  How many web pages did this just break behind my PANOS firewalls?   A very large number of websites.   


I currently have an enourmous number of SSL Decryption exceptions.   If this continues, many of the PANOS add-ons I have licensed will be virtually useless.  Depending upon the installation type, there are various ways for you to work around this issue. It is not impossible to address.  Please give us some of these options.

Has this issue been resolved in v7.1 with the new ciphers that have been added?

@RobertH601, It depends, as the issue here is "unsupported" ciphers on a web server. 


Palo Alto Networsks has added support for some new ciphers, but not all ciphers. 

So, if the new cipher that has been added matches the sites cipher, then this will resolve the issue. 


I hope this makes sense.