Sectigo CA Chain Decryption Issues

Reply
Highlighted
L4 Transporter

Response to my case.

------------------------------

 

 

Good day!

Engineering has identified on the fix, and it is coming in upcoming releases of all major releases ie. 8.1.15, 9.0.9, 9.1.3.

With the fix, we will evaluate the leaf node, and chain up to trust store.

Tentative ETA is around Mid-June.

I would also like to update you that we have put together a customer advisory if you would like to take a look -
https://live.paloaltonetworks.com/t5/customer-advisories/decryption-errors-created-by-the-expired-ad...

L1 Bithead

Just wanted to chime in.  We are also seeing the problem on many websites.  If you wireshark the traffic and filter tls.handshake.type==11 you can see the cross certificate(s) and its expiration( signedCertificate>validity>notAfter).  Sometimes its USERTrust RSA Certification Authority, sometimes its AddTrust External CA Root, sometimes its both.  Don't trust things like Chrome's dev tools to see the offending certs, you need to wireshark the traffic from a machine that is *not* being decrypted. 

 

I'm either telling people to fix their websites or patiently waiting for 8.1.15 and hopes it fixes the issue.

 

 

sctigo_mess.jpg


Highlighted
L0 Member

8.1.15 is now out. Has anyone verified if this problem is fixed?
Highlighted
L4 Transporter

No but Sectigo certs on some sites are failing even with expiration turned off

 

Rob 

Highlighted
L2 Linker

We upgraded to 8.1.15 yesterday and OCSP broke. Certificates signed by three different CA's were returning a status of 'unknown' and we block status unknown. We have been having this issue occur intermittently, so I'm unsure if it is related to the PAN-OS upgrade.

 

That being said, during our upgrade and testing window, we could visit the sites that were affected by the Sectigo chain issue. The other issues popped up as users started to come into the office on Monday and browse around.

Highlighted
L0 Member

Thanks for the update.

Please keep us posted of the development.

 

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!