06-01-2020 03:40 AM
Due to the recent expiration of the Sectigo RSA CA cert (https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-202...) and our Palo firewall SSL decryption policy configuration to block expired certificates we are noticing that any website that is publishing the old expired CA chain (for example netaoc.org.uk) is being blocked due to them publishing an expired cert.
This is obviously working as expected however it's difficult for me to come into contact with each website hosting one of these invalid CA chains to get them to resolve the issue while our users experience issues and I manually exclude the sites from decryption. I of course could turn off expired certificate blocking however this something I would rather not do.
I have noticed that web browsers like Chrome when not running through decryption are handling this issue just fine as they seem to look up the new correct CA certificate themselves and use that. Is there a way I can configure out Palo to act in the same way or am I stuck being reliant on the web admins of the individual sites to correct their chain issues?
06-02-2020 10:04 AM
We proceeded almost the same, only difference is we're using minemeld with a dynamic list so we dont need to push on the firewall at each addition on the list.
06-02-2020 10:22 AM
Same problem here.
Right now i only saw 1 site not working, but i guess more will follow.
I also set up a new decrypt policy with a new decrypt profile allowing expired certs and put custom url list in place as a workaround.
06-02-2020 11:32 AM
Looks like the official advisory is out, and the suggestions are to do the exemptions like most of us have been talking about already: https://live.paloaltonetworks.com/t5/customer-advisories/decryption-errors-created-by-the-expired-ad... What a mess. Good luck w/ your exemptions everyone!
06-02-2020 11:46 AM
I like @Tarcizoa's idea of using an external dynamic list to manage these exceptions. We don't have minemeld but we can host a text file on an internal web server and just update the text file with any new exceptions. Then set the EDL to check for updates every 5 minutes. Sounds better than having to do commits every time a new site is discovered.
06-03-2020 04:50 AM
I received an update from TAC saying they also have an engineering request for this issue to identify if the PA behavior can be changed to accept the best root CA instead of the ones which are expired. They will keep us posted with the coming updates.
06-04-2020 07:10 AM
Response to my case.
------------------------------
Good day!
Engineering has identified on the fix, and it is coming in upcoming releases of all major releases ie. 8.1.15, 9.0.9, 9.1.3.
With the fix, we will evaluate the leaf node, and chain up to trust store.
Tentative ETA is around Mid-June.
I would also like to update you that we have put together a customer advisory if you would like to take a look -
https://live.paloaltonetworks.com/t5/customer-advisories/decryption-errors-created-by-the-expired-ad...
06-08-2020 01:52 PM
Just wanted to chime in. We are also seeing the problem on many websites. If you wireshark the traffic and filter tls.handshake.type==11 you can see the cross certificate(s) and its expiration( signedCertificate>validity>notAfter). Sometimes its USERTrust RSA Certification Authority, sometimes its AddTrust External CA Root, sometimes its both. Don't trust things like Chrome's dev tools to see the offending certs, you need to wireshark the traffic from a machine that is *not* being decrypted.
I'm either telling people to fix their websites or patiently waiting for 8.1.15 and hopes it fixes the issue.
06-22-2020 11:06 AM
06-25-2020 03:10 AM
No but Sectigo certs on some sites are failing even with expiration turned off 😞
Rob
06-29-2020 02:26 PM
We upgraded to 8.1.15 yesterday and OCSP broke. Certificates signed by three different CA's were returning a status of 'unknown' and we block status unknown. We have been having this issue occur intermittently, so I'm unsure if it is related to the PAN-OS upgrade.
That being said, during our upgrade and testing window, we could visit the sites that were affected by the Sectigo chain issue. The other issues popped up as users started to come into the office on Monday and browse around.
06-30-2020 07:06 AM
Thanks for the update.
Please keep us posted of the development.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
