"decrypt-unsupport-param" error on Inbound SSL Decryption

Maxstr · ‎01-05-2017

I am trying to get inbound SSL decryption for our web server. I imported our web server's SSL certificate with private key to the Palo. It shows "Valid" and the "private key" checkbox is checked.

But the log shows it is not getting decrypted, and I'm seeing the session end "decrypt-unsupport-param" .

The certificate is signed by a CA, 2048-bit, SHA256

kdd · ‎01-10-2017

it is right that DHE and ECDHE is not supported by PA for ssl-inbound-inspection. There ist a note in the Config which point to that. therefore you have to disable these algorithms like Rahman mentioned.

you will find the algorithms below Objects - Decryption Profil. DHE and ECDHE is checked but they will be used only for ssl forward proxy.

View solution in original post

OtakarKlier · ‎01-05-2017

Hello,

According to the documetnation, here is what it means:

The session used an unsupported protocol version, cipher, or SSH algorithm. This session end reason is also displayed when the session produced a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.

https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/networking-features/ssl-ss...

I however do not know howto resolve it. I'm sure a ticket into TAC could be a quicker answer?

Hope this helps.

kdd · ‎01-06-2017

Hi,

please take a look at "objects > decryption profile" and here the default profil or the your own configured profile. Take the tab "SSL-Decryption " and then "SSL Protocol Settings". Now you can choose the Protocol Version, Key Exchange Algorithms, Encryption Algorithms and Authentication Algorithms. Hope this helps.

Regards,

Klaus

Maxstr · ‎01-06-2017

Ok, I checked the decryption profile, and the default already has every option checked. Seems to be some other issue then

kdd · ‎01-06-2017

hi,

i think it is nessesary to debug. Maybe the it is an unsupport cipher.

Regards,

Klaus

kdd · ‎01-06-2017

another thing is to check the decryption policy for right Decryption Profil ...

Maxstr · ‎01-06-2017

It's a basic certificate aquired from Digicert.com. When I look at the certificate itself, it says its RSA SHA256, 2048-bit. But I don't see where it says the encryption algorithm, though (like AES-128CBC or AES-256GCM). I will ask the CA vendor

kdd · ‎01-09-2017

please check that the digicert-certificate is among the certificate authorities. this is necessary for trusted relationship and this to decrypt.

kdd · ‎01-09-2017

take a look on the picture i think it is the DHE or ECDHE. Both are support but not for the inbound direction. Just for SSL Forward Proxy.

kdd · ‎01-09-2017

Both algorithms (DHE and ECDHE) are only support for SSL Forward Proxy. Not for inbound direction. Take a look at the photo.

Maxstr · ‎01-09-2017

The certificate is RSA,not DHE. However, noticed that there is an Digicert intermediary certificate in the chain. Do I need to load the intermediary into the PA? I obviously don't have their private key

kdd · ‎01-09-2017

Hi Max,

in our PA's certficate-memory are only root-certificates. two or three of them i imported to get sites decrypted. Because they weren't implicit. Do you have the root-CA as well? The intermediate will be used to issue the certificate for an aplicant. The Root-CA ensures the reliabilty of the intermediate cert. I think, you have to have der Root-CA as well.

To get a DigiCert Trusted Root Authority Certificates look here digicert .

Regards,

Klaus

Maxstr · ‎01-09-2017

Interesting, so I've added the root CA and intermediary CA, and now it shows the server's certificate under the other two. I thought that would fix the issue since it all lined up nicely, but no dice... I'm still getting the errors (first "decrypt-error" then "decrypt-param-unsupport").

So just to verify, the rule should be untrust to trust, source any, destination [the public IP of the server]?

RahmanDuran · ‎01-10-2017

No it won't work, PANOS does not support DHE and ECDHE ciphers for inbound ssl decryption. It does not have anything to do with your certificate. It is about the client and the webserver. Just run wireshark on your client and filter for server ip and ssl.handshake.type == 2. If you see that the client and server agreed on a DHE or ECDHE cipher, then inbound decryption will not work. You need to disable DHE and ECDHE ciphers on your web server so clients can not connect to server using DHE and ECDHE ciphers. Instead they will agree and use on other supported ciphers.

Rahman

kdd · ‎01-10-2017

it is right that DHE and ECDHE is not supported by PA for ssl-inbound-inspection. There ist a note in the Config which point to that. therefore you have to disable these algorithms like Rahman mentioned.

you will find the algorithms below Objects - Decryption Profil. DHE and ECDHE is checked but they will be used only for ssl forward proxy.

Unlock your full community experience!

"decrypt-unsupport-param" error on Inbound SSL Decryption

"decrypt-unsupport-param" error on Inbound SSL Decryption

Show your appreciation!