Inbound SSL decryption for apache2 server

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Inbound SSL decryption for apache2 server

I am trying to set up a TLSv1.3 AND a different TLSv1.2 webserver behind a palo firewall with ssl inbound decryption.

However i seem to get a lot of ssl errors and the website does not work if specific ciphers are not listed first...

For one I would like to understand why that is and even ciphers listed here have issues: https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

 

Basically, what should the apache config look like for the palo to be able to decrypt the traffic, yet still have the highest possible security as rated by https://www.ssllabs.com/ssltest/ ?

I always seem to get either "This server does not support Forward Secrecy with the reference browsers. Grade capped to B." or "There is no support for secure renegotiation. Grade reduced to A-."

Highlighted
L2 Linker

Hi,

 

which PANOS version are you running? Some logs might be helpful as well.

 

Thanks.

 

 

 

 

Kind regards,
René
// If you like my answer force commit it.
Highlighted
L2 Linker

running PANOS 10.0.1, log only shows "General TLS protocol error" together with the ciphers that were used

any specific debug or log i should show?

Highlighted
L2 Linker

@Rene_Boehme or anyone know working ciphers for apache with TLSv1.2 and which ones work TLSv1.3?

Highlighted
L2 Linker

There is nothing in the sslmgr.log and nothing but the General errors in the UI

the only ciphers that seem to work with Palo decryption on TLSv1.2 and Chrome/Firefox are these two:

AES256-GCM-SHA384:AES128-GCM-SHA256

all others error out even if those ciphers above are also available but not listed first (SSLHonorCipherOrder is set to off)

but with these ciphers which are considered weak, i dont even get forward secrecy and therefore the rating is down to B...

I wonder why the following ciphers dont work:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHCHA20-POLY1305-SHA256:CHACHA20-POLY1305-SHA256 or the ECDHE-ECDSA ones which are listed as supported but not shown in the decryption profile settings

 

anyone have an idea or even just an idea how to troubleshoot this further?

Highlighted
L2 Linker

from a wireshark capture, i can see that if for TLSv1.2 any other supported protocols are used, the palo sens a Server Hello with the first matching cipher and right after it sends a [RST, ACK] to the client which is originated only from the firewall, the server actually sends the certificate to the palo, so the issue seems to be between the palo and the client with PANOS 10.0.1

 

I should probably open a support case to look into this but I thought maybe someone has already looked into this

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!