I have been using SSL Inbound Decryption for over a year with options
1) Block sessions with unsupported versions
2) Block sessions with unsupported cipher suites
After applying Windows 10 updates to a reverse proxy server, it appears that connection to website is encrypted and authenticated using TLS 1.3, X25519, and AES_256_GCM (based on Google Chrome developer tools security tab).
I now get the error SSL_ERROR_NO_CYPHER_OVERLAP. This error goes away only if I disable 2) Block sessions with unsupported cipher suites from the SSL Inbound Decryption policy. Permitting all the cipher suites in the decryption profile without disabling #2 does not work. Does Palo Alto support Inbound SSL decryption for TLS 1.3 for any PanOS?
Has anyone resolved a similar issue update windows registry keys to force the connection to use TLS 1.2?
Decryption of TLS 1.3 is supported in PAN-OS 10 (but I definately do not recommend to install this just released PAN-OS version in a production environment).
So the other way is to diable TLS1.3 untill PAN-OS 10 becomed a prefered release by PaloAlto TAC Support. So far I was not able to find anything related to disable TLS1.3 but I assume it should work the same way as you can disable older versions like TLS1.0/TLS1.1: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-11
I tried disabling TLS 1.3 on the reverse proxy server with the HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL registry keys, but wasn't able to get the webpages to load.
I have been able to get it to load by either turning off ssl inbound decryption, or rolling back a critical windows update. I'm doing the former now.
Hmn ... strange ... (I want to have TLS1.3 on my IIS too but something obviously I am doing wrong 😛 )
Anyway, back to the actual issue:
If not done already maybe you should consider doing these captures and maybe post the results here.
session end reason = decrypt-unsupport-param
from zone = trust
to zone = DMZ
source = client
destination = public ipaddress for website hosted on DMZ
Wireshark 3.2.4 packet capture from client to public ipaddress for website hosted on DMZ
For purposes of testing, both the reverse proxy server and the client have the following windows registry key settings. I'll review and disable weak ciphers once SSL Inbound Inspection works again...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!