07-16-2013 12:47 PM
Hi,
There is a web page that cannot be viewed properly because of ssl decryption.Decryption is made for gmail applications by using custom url
Is there a way to fix that without disabling ssl decryption ?
07-19-2013 02:43 PM
Is the decryption certificate used by the firewall, trusted by the PC from where you are browsing the web-page ? I have seen similar issues, downloading the SSL forward proxy certificate that is used on the firewall and adding it to the trusted root ca folder in certificate store of the pc fixed the issue for me.
07-16-2013 01:01 PM
Try to locate which TLS version is being used.
It seems that PA (still) doesnt properly support TLS1.2 (or if it was TLS1.1). There were previously rumours that this would have been fixed in PANOS 5.0 but it doesnt seem like that.
07-16-2013 05:41 PM
The gmail server is an interesting animal when it comes to SSL. If you go to "https://gmail.com" it fails to decrypt, but if you go to "https://mail.google.com". I haven't found a solid answer to that in my testing, and I can only speculate that it has to do with the multiple handshakes, redirects, and certs used.
Try hitting the full (final) URL for google services to see if it will decrypt properly.
-Greg
07-17-2013 02:12 PM
According to https://www.ssllabs.com/ssltest/analyze.html both sites has:
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3.0 Yes
SSL 2.0 No
and
Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites where used)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
SSL_RSA_WITH_RC4_128_SHA (0x5) 128
SSL_RSA_WITH_RC4_128_MD5 (0x4) 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 168
SSL_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) Forward Secrecy 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
However www.gmail.com has a note of "This site works only in browsers with SNI support.".
Could it be that PA doesnt have support för SNI?
For more info of SNI:
http://en.wikipedia.org/wiki/Server_Name_Indication
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Other than that the certs seems to be issued weekly (for both sites the valid from was set to 12 july 2013...), could it be some ssl-cache problem within PA?
07-17-2013 02:19 PM
good point.Maybe you are right about cache.
07-19-2013 02:43 PM
Is the decryption certificate used by the firewall, trusted by the PC from where you are browsing the web-page ? I have seen similar issues, downloading the SSL forward proxy certificate that is used on the firewall and adding it to the trusted root ca folder in certificate store of the pc fixed the issue for me.
07-19-2013 04:33 PM
it was imported for a long time.importing again to root after that issue has fixed the page problem.Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
