Decrypt-error with Inbound Decryption DHE or ECDHE on 8.1.3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Decrypt-error with Inbound Decryption DHE or ECDHE on 8.1.3

L4 Transporter

Greetings all,

 

I feel like I'm probably missing something simple here, but I'm running into a decrypt-error issue on 8.1.3 in regards to a server that is negotiating DHE or ECDHE ciphers with the client.  On Chrome I get:

 

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

And on Firefox I get:

 

SSL_ERROR_NO_CYPHER_OVERLAP

 

If I turn off decryption for this or set it to RSA only, the traffic goes through (albeit not decrypted) so the client and server do indeed have shared ciphers they can negotiate to.  A packet capture from my machine and an SSL Labs scan of the server seems to back this up.

 

I know DHE and ECDHE wasn't supported on Inbound Decryption before but the warning is no longer on the configuration GUI and I see newer documentation that it has been supported since an 8.0 version.

 

Any ideas on what I might be doing wrong or how I should proceed with troubleshooting?

17 REPLIES 17

Did you get any further? I am struggling with  similar issue and have been debugging for two days now getting further and further. In case of Apache I can say there seems to be a lot of requirements to get decryption  working on latest version 2.4.39 (which i haven't managed to get fully working yet) 

 

Benjamin

Very disappointing that I cannot use Palo for SSL inspection any more due to our load balancer AVI, is using OpenSSL v1.1.1 which defaults to X25519 curve for ECDEH and DHE PFS ciphers using TLS1.2/1.1 so the only option I have is to use the RSA-AES-256-GCM or CBC ciphers which then caps you SSL security rating to B vs A+ with ECDHE ciphers.

 

Come on Palo, fix the issue and support the curve x25519, you need that curve for TLS1.3 support.

L3 Networker

You will need to feature request that...
For Apache and nginx this requires a specific configuration and order (actually x25519 does not seem to be needed for tls1.3 but rsa_pss signature algorithm is and that is also not supported for tls1.2) to work... but it does work!
So if you do feature request this with your SE, make sure you also request support for rsa_pss signature algorithm 🙂

  • 14171 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!