This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Sectigo CA Chain Decryption Issues

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sectigo CA Chain Decryption Issues

paul.carroll
L0 Member

‎06-01-2020 03:40 AM

Due to the recent expiration of the Sectigo RSA CA cert (https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-202...) and our Palo firewall SSL decryption policy configuration to block expired certificates we are noticing that any website that is publishing the old expired CA chain (for example netaoc.org.uk) is being blocked due to them publishing an expired cert.

 

This is obviously working as expected however it's difficult for me to come into contact with each website hosting one of these invalid CA chains to get them to resolve the issue while our users experience issues and I manually exclude the sites from decryption.  I of course could turn off expired certificate blocking however this something I would rather not do.

 

I have noticed that web browsers like Chrome when not running through decryption are handling this issue just fine as they seem to look up the new correct CA certificate themselves and use that.  Is there a way I can configure out Palo to act in the same way or am I stuck being reliant on the web admins of the individual sites to correct their chain issues?

40 people had this problem.
0 Likes Likes
25 REPLIES 25

OwenFuller
L4 Transporter
In response to kalakai

‎06-02-2020 08:13 AM

As @kalakai said, this problem appears to be related to OpenSSL incorrectly building the trust chain for certificates which used to chain up to the now expired Sectigo CA cert.  This article (which we're also providing to TAC on our own case) provides a very detailed explanation for those who are interested:  https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-ex...

 

(1)

OwenFuller
L4 Transporter
In response to OwenFuller

‎06-02-2020 08:36 AM

According to the KB article TAC referenced (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UFBCA2), the new CA certs are already in the CA store on the firewalls.  It's saying that the problem is due to "Some servers that are using certificates signed by these CAs are still including the expired CAs as part of certification chain supplied to the client." It also mentions that "Our NGFW Trusted CA store is already updated with the self-signed certs, and no change is needed to Trusted CA store on PA."  However, given that the chains build properly on other systems, and there are know issues with certain clients (see my previous comment), this still seems to be a problem with PANOS (a la OpenSSL) in my opinion.  We're going to continue working w/ TAC for answers.


RobinClayton
L4 Transporter
In response to OwenFuller

‎06-02-2020 08:44 AM

I have expiration turned off at present , support are not being very clear. will turn it on again later and see if the cert store has updated.

0 Likes Likes

Tarcizoa
L0 Member
In response to OwenFuller

‎06-02-2020 09:24 AM

From what i see the servers have both chains. PaloAlto behavior is one of the following:

1 - It checks if any expired on the server and block no matter if one is good.

2 - It only check the first one(expired) and doesn't even check the second one.

I agree with you that it should be fixed but looks like its more a code change then a certificate chain issue.

The article that you posted previously shows that clearly on option 2.

Someone was able to reboot firewall just to validate if its not a cache or something like?

 

 

0 Likes Likes

OwenFuller
L4 Transporter
In response to Tarcizoa

‎06-02-2020 10:00 AM

We only saw about ~50 destinations w/ decrypt-cert-validation as the session-end-reason in our logs, and several seem to be junk we don't really care about.  We're opting to leave expiration on for most user traffic.  We've created a custom URL category for affected sites which are business-related, and are using it in a separate SSL decryption policy that doesn't block the expired cert.  Seems to be the best option to avoid completely disabling cert expiration checking for our purposes.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks