This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Inbound decryption working/not?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Inbound decryption working/not?

Go to solution
raji_toor
L4 Transporter

‎08-06-2021 03:57 PM

2 web servers, inbound decryption for both, one working and other does not and are using same wildcard cert.

Bold are the only differences I see between 2. I don't know why working server without decryption shows the root instead of intermediate SHA2 certificate or vice a versa. However if i see the cert in browser it looks the same for both servers.

image.png

Also not sure why the signature type is different and also not sure if that can be controlled in Apache config. Traffic to both is from same test client.

---------------------------------------------

Server A without Decryption
PS C:\Users\whoami\Downloads\New folder (7)\openssl-1.1.1k-win64> .\openssl.exe s_client -connect webpac.test.ca:443 -brief
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify error:num=19:self signed certificate in certificate chain
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: C = CA, O = TEST, OU = IT, CN = *.test.ca
Hash used: SHA256
Signature type: RSA
Verification error: self signed certificate in certificate chain
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits


Server A with Decryption
depth=0 C = CA, O = TEST, OU = IT, CN = *.test.ca
verify error:num=20:unable to get local issuer certificate
depth=0 C = CA, O = TEST, OU = IT, CN = *.test.ca
verify error:num=21:unable to verify the first certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: C = CA, O = TEST, OU = IT, CN = *.test.ca
Hash used: SHA256
Signature type: RSA
Verification error: unable to verify the first certificate
Server Temp Key: ECDH, P-256, 256 bits


Server B without decryption
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: C = CA, O = TEST, OU = IT, CN = *.test.ca
Hash used: SHA256
Signature type: RSA-PSS
Verification error: unable to get local issuer certificate
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits

Server B with decryption


Server B with decryption
30632:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1544:SSL alert number 40

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
dmifsud
L3 Networker

‎08-07-2021 07:47 AM - edited ‎08-07-2021 07:53 AM

It's the RSA-PSS signature which isn't supported, disable this on the server.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMR7CAO

 

They are supported from version 10, but only for TLS 1.3 I believe.

Sr. Technical Support Engineer, Strata

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
dmifsud
L3 Networker

‎08-07-2021 07:47 AM - edited ‎08-07-2021 07:53 AM

It's the RSA-PSS signature which isn't supported, disable this on the server.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMR7CAO

 

They are supported from version 10, but only for TLS 1.3 I believe.

Sr. Technical Support Engineer, Strata
0 Likes Likes

Go to solution
raji_toor
L4 Transporter
In response to dmifsud

‎08-13-2021 03:14 PM

@dmifsud Thanks. This is what I had suspected. This is what worked for us on apache.

 

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
SSLOpenSSLConfCmd Curves secp384r1:prime256v1
SSLOpenSSLConfCmd SignatureAlgorithms ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
0 Likes Likes
  • 1 accepted solution
  • 3025 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks