cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Sectigo CA Chain Decryption Issues

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Sectigo CA Chain Decryption Issues

paul.carroll
L0 Member

‎06-01-2020 03:40 AM

Due to the recent expiration of the Sectigo RSA CA cert (https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-202...) and our Palo firewall SSL decryption policy configuration to block expired certificates we are noticing that any website that is publishing the old expired CA chain (for example netaoc.org.uk) is being blocked due to them publishing an expired cert.

 

This is obviously working as expected however it's difficult for me to come into contact with each website hosting one of these invalid CA chains to get them to resolve the issue while our users experience issues and I manually exclude the sites from decryption.  I of course could turn off expired certificate blocking however this something I would rather not do.

 

I have noticed that web browsers like Chrome when not running through decryption are handling this issue just fine as they seem to look up the new correct CA certificate themselves and use that.  Is there a way I can configure out Palo to act in the same way or am I stuck being reliant on the web admins of the individual sites to correct their chain issues?

39 people had this problem.
0 Likes Likes
25 REPLIES 25

RobinClayton
L4 Transporter

‎06-01-2020 04:23 AM - edited ‎06-01-2020 04:46 AM

Yes we are seeing this issue

 

 

Some customers are reporting it too when accessing one of our websites, but that's an external problem

 

 

I can't replicate it accessing our site externally.

 

I don't think it's necessarily a web hoster problem, our chain looks valid, and the certificate was only generated with it's chain in December.

 

I have logged a support case, I suggest you do the same.

 

0 Likes Likes

paul.carroll
L0 Member
In response to RobinClayton

‎06-01-2020 05:08 AM

The only reason I think it's a chain issue from the sites host is if you check the website with a tool like https://whatsmychaincert.com/ it will report that the site is delivering an invalid chain but it implies that modern web browsers will transparently fix this issue for the end user.

0 Likes Likes

RobinClayton
L4 Transporter
In response to paul.carroll

‎06-01-2020 06:29 AM

The fact that https://support.sectigo.com fails as well leads me to believe that the test site is not able to correctly process the request.

0 Likes Likes

kaschekotov
L0 Member
In response to RobinClayton

‎06-01-2020 07:07 AM

Also, please note: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UFBCA2

0 Likes Likes

Sec101
L4 Transporter
In response to kaschekotov

‎06-01-2020 07:40 AM

This is an issue for us too.   Why isn't Palo updating these?   Does the palo check all the chains for these, apparently Sectigo is saying that the cross signed certificate is enough to stop an error for these?

0 Likes Likes

RobinClayton
L4 Transporter
In response to Sec101

‎06-01-2020 08:17 AM

From PA Support

 

"From a quick search, I was able to see that multiple issues have been reported with respect to Sectigo Certificates Expiration.

As a workaround,you can either allow untrust cert or exclude the website from decryption which is causing issue.

PA has updated with the latest CA certification, so as of now no action needed on PA certificate store. If server chain is not updated till now then that might cause issue here.

Please let me know if you have any further queries or concerns regarding the case."

 

Awaiting their guidance on why the store is not up to date.

 

Rob

 

0 Likes Likes

kalakai
L2 Linker

‎06-01-2020 02:30 PM

According to this twitter thread, the issue is with how OpenSSL handles (or doesn't handle) validating certificate chains. I believe that the PAN firewalls use OpenSSL for certificate validations which is why the firewall fails to see that the server's certificate is actually valid.

 

As a workaround, this is what we did:

  1. Create a custom URL category "Expired Certificate Bypass"
    Objects > Custom Objects > URL Category
  2. Clone the decryption profile object and uncheck "Block sessions with expired certificates"
    Objects > Decryption > Decryption Profile
  3. Clone the decryption rule and use the new decryption profile and url category you just created
    Policies > Decryption

This is not ideal or scalable but it works for business critical sites.

benlangberg
L1 Bithead

‎06-01-2020 09:32 PM

We had been running with a separate exclusion list, our helpdesk became overwhelmed with requests and cert issues. As of this post we have disabled "Block sessions with expired certificates"

 

Monitoring this discussion for further updates. 

 

0 Likes Likes

thomaswiesner
L1 Bithead
In response to benlangberg

‎06-01-2020 11:39 PM

I will do exactly the same "Benlangberg"

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2021 - Palo Alto Networks