page cannot be viewed properly

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

page cannot be viewed properly

L6 Presenter

Hi,

There is a web page that cannot be viewed properly because of ssl decryption.Decryption is made for gmail applications by using custom url

Is there a way to fix that without disabling ssl decryption ?

1 accepted solution

Accepted Solutions

Is the decryption certificate used by the firewall,  trusted by the PC from where you are browsing the web-page ? I have seen similar issues, downloading the SSL forward proxy certificate that is used on the firewall and adding it to the trusted root ca folder in certificate store of the pc fixed the issue for me.

View solution in original post

7 REPLIES 7

L6 Presenter

Try to locate which TLS version is being used.

It seems that PA (still) doesnt properly support TLS1.2 (or if it was TLS1.1). There were previously rumours that this would have been fixed in PANOS 5.0 but it doesnt seem like that.

L7 Applicator

The gmail server is an interesting animal when it comes to SSL. If you go to "https://gmail.com" it fails to decrypt, but if you go to "https://mail.google.com". I haven't found a solid answer to that in my testing, and I can only speculate that it has to do with the multiple handshakes, redirects, and certs used.

Try hitting the full (final) URL for google services to see if it will decrypt properly.

-Greg

According to https://www.ssllabs.com/ssltest/analyze.html both sites has:

Protocols

TLS 1.2     Yes

TLS 1.1     Yes

TLS 1.0     Yes

SSL 3.0     Yes

SSL 2.0     No

and

Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites where used)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   Forward Secrecy     128

TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   ECDH 256 bits (eq. 3072 bits RSA)   Forward Secrecy     128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   Forward Secrecy     128

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)     128

SSL_RSA_WITH_RC4_128_SHA (0x5)     128

SSL_RSA_WITH_RC4_128_MD5 (0x4)     128

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   Forward Secrecy     256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   Forward Secrecy     256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   Forward Secrecy     256

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)     256

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)     256

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)     256

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH 256 bits (eq. 3072 bits RSA)   Forward Secrecy     168

SSL_RSA_WITH_3DES_EDE_CBC_SHA (0xa)     168

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   Forward Secrecy     128

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)     128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)     128

However www.gmail.com has a note of "This site works only in browsers with SNI support.".

Could it be that PA doesnt have support för SNI?

For more info of SNI:

http://en.wikipedia.org/wiki/Server_Name_Indication

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Other than that the certs seems to be issued weekly (for both sites the valid from was set to 12 july 2013...), could it be some ssl-cache problem within PA?

good point.Maybe you are right about cache.

This happens with chrome only.

I searched and found

but that did not solve our problem.When I disable decryption it works fine.

Is the decryption certificate used by the firewall,  trusted by the PC from where you are browsing the web-page ? I have seen similar issues, downloading the SSL forward proxy certificate that is used on the firewall and adding it to the trusted root ca folder in certificate store of the pc fixed the issue for me.

it was imported for a long time.importing again to root after that issue has fixed the page problem.Thanks.

  • 1 accepted solution
  • 3701 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!