"decrypt-unsupport-param" error on Inbound SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

"decrypt-unsupport-param" error on Inbound SSL Decryption

L3 Networker

I am trying to get inbound SSL decryption for our web server. I imported our web server's SSL certificate with private key to the Palo. It shows "Valid" and the "private key" checkbox is checked.

 

But the log shows it is not getting decrypted, and I'm seeing the session end "decrypt-unsupport-param" .

 

The certificate is signed by a CA, 2048-bit, SHA256

18 REPLIES 18

Oh, I see what you mean. I should create a new profile with only RSA checked.

So does that also mean I need to disable those ciphers on the web server? Or does the PA negotiate the protocol on its behalf?

L4 Transporter

yes, because thats what the server offers and i guess right now your server offers more than PA can decrypt.  By the way the certificate of the root CA is only needed for ssl-forward-proxy. But thats the other direction.

Ok, I think I understand now. The documentation mentions none of this information 😕

 

So I ran the Qualsys SSL Labs test on my webserver, and it shows the server's "preffered order" of cipher suites. Sure enough, ECDHE is on the top, with RSA below it. Which means that browsers are negotiating ECDHE with the server, and the PA can't decrypt it. 

 

I suppose I could remove ECDHE from the server's cipher list (by registry or the IISCrypto tool). I'm not familiar enough with the different cipher suites to know if there is anything inherently insecure with RSA compared to ECDHE. It might not even be PCI or FIPS compliant.

 

Thanks for all the assistance. It looks like inbound-decrypt is intended for some other use cases, not so much for web servers.

 

 

I suggest everyone to ask your SE to submit a feature request of being able to decrypt these ciphers inbound. Not decrypting SMTP and webservers is a big miss. I have had our SE vote in favor of this feature. 

  • 19708 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!