cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"decrypt-unsupport-param" error on Inbound SSL Decryption

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"decrypt-unsupport-param" error on Inbound SSL Decryption

Go to solution
Maxstr
L3 Networker

‎01-05-2017 01:46 PM

I am trying to get inbound SSL decryption for our web server. I imported our web server's SSL certificate with private key to the Palo. It shows "Valid" and the "private key" checkbox is checked.

 

But the log shows it is not getting decrypted, and I'm seeing the session end "decrypt-unsupport-param" .

 

The certificate is signed by a CA, 2048-bit, SHA256

0 Likes Likes
18 REPLIES 18

Go to solution
Maxstr
L3 Networker
In response to kdd

‎01-09-2017 06:44 AM

The certificate is RSA,not DHE. However, noticed that there is an Digicert intermediary certificate in the chain. Do I need to load the intermediary into the PA? I obviously don't have their private key
0 Likes Likes

Go to solution
kdd
L4 Transporter
In response to Maxstr

‎01-09-2017 07:36 AM

Hi Max,

in our PA's certficate-memory are only root-certificates. two or three of them i imported to get sites decrypted. Because they weren't implicit. Do you have the root-CA as well? The intermediate will be used to issue the certificate for an aplicant. The Root-CA ensures the reliabilty of the intermediate cert. I think,  you have to have der Root-CA as well.

To get a DigiCert Trusted Root Authority Certificates look here digicert .

Regards,

Klaus

 

0 Likes Likes

Go to solution
Maxstr
L3 Networker
In response to kdd

‎01-09-2017 08:44 AM

Interesting, so I've added the root CA and intermediary CA, and now it shows the server's certificate under the other two. I thought that would fix the issue since it all lined up nicely, but no dice... I'm still getting the errors (first "decrypt-error" then "decrypt-param-unsupport").

 

So just to verify, the rule should be untrust to trust, source any, destination [the public IP of the server]?

0 Likes Likes

Go to solution
RahmanDuran
L2 Linker
In response to Maxstr

‎01-10-2017 01:34 AM - edited ‎01-10-2017 01:36 AM

No it won't work, PANOS does not support DHE and ECDHE ciphers for inbound ssl decryption. It does not have anything to do with your certificate. It is about the client and the webserver. Just run wireshark on your client and filter for server ip and ssl.handshake.type == 2. If you see that the client and server agreed on a DHE or ECDHE cipher, then inbound decryption will not work. You need to disable DHE and ECDHE ciphers on your web server so clients can not connect to server using DHE and ECDHE ciphers. Instead they will agree and use on other supported ciphers.

 

Rahman 

Go to solution
kdd
L4 Transporter

‎01-10-2017 02:02 AM

it is right that DHE and ECDHE is not supported by PA for ssl-inbound-inspection. There ist a note in the Config which point to that. therefore you have to disable these algorithms like Rahman mentioned.

 

algo.PNG

 

you will find the algorithms below Objects - Decryption Profil. DHE and ECDHE is checked but they will be used only for ssl forward proxy.

Go to solution
Maxstr
L3 Networker
In response to kdd

‎01-10-2017 06:10 AM

Oh, I see what you mean. I should create a new profile with only RSA checked.

So does that also mean I need to disable those ciphers on the web server? Or does the PA negotiate the protocol on its behalf?
0 Likes Likes

Go to solution
kdd
L4 Transporter
In response to Maxstr

‎01-10-2017 07:31 AM

yes, because thats what the server offers and i guess right now your server offers more than PA can decrypt.  By the way the certificate of the root CA is only needed for ssl-forward-proxy. But thats the other direction.

0 Likes Likes

Go to solution
Maxstr
L3 Networker
In response to kdd

‎01-10-2017 08:09 AM

Ok, I think I understand now. The documentation mentions none of this information 😕

 

So I ran the Qualsys SSL Labs test on my webserver, and it shows the server's "preffered order" of cipher suites. Sure enough, ECDHE is on the top, with RSA below it. Which means that browsers are negotiating ECDHE with the server, and the PA can't decrypt it. 

 

I suppose I could remove ECDHE from the server's cipher list (by registry or the IISCrypto tool). I'm not familiar enough with the different cipher suites to know if there is anything inherently insecure with RSA compared to ECDHE. It might not even be PCI or FIPS compliant.

 

Thanks for all the assistance. It looks like inbound-decrypt is intended for some other use cases, not so much for web servers.

 

 

0 Likes Likes

Go to solution
clewis1
L2 Linker
In response to Maxstr

‎01-10-2017 10:12 AM

I suggest everyone to ask your SE to submit a feature request of being able to decrypt these ciphers inbound. Not decrypting SMTP and webservers is a big miss. I have had our SE vote in favor of this feature. 

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks