This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15

EdwinD
L3 Networker

‎04-24-2015 09:17 AM

I have a private subordinate CA signed using sha256.  This is my forward decryption certificate.  The trust anchor is also sha256.


With forward decryption enabled on my PanOS5.0.15 device, the certificates generated by the firewall are signed using sha1, even when the websites real certificate is signed using sha256.

The current changes made by Google to Chrome mean that the certificate indicator now has a warning because the sites certificate isn't using SHA256.   In the future, Chrome will block access to such sites.

Does PanOS 5.0.15 have a setting that will let me resolve this issue?

References:

https://www.dropbox.com/s/8jmnp4cs84r5gnt/PaloAltoNetworksCert0.PNG?dl=0

https://www.dropbox.com/s/0tbjlk3plvz6zfu/PaloAltoNetworksCert1.PNG?dl=0

Labels:
0 Likes Likes
1 REPLY 1

prb
L3 Networker

‎04-28-2015 05:26 AM

HI EdwinD

Not sure if you already have an answer, if not, here you go -

Unfortunately, no.

This is supported only starting 6.1 as described in release notes -

Configurable Key Size for SSL Forward Proxy Server Certificates The firewall now supports both 2048-bit RSA keys (with SHA-256 hashing) and 1024-bit RSA keys (with SHA-1 hashing) for generating the certificates it uses to establish the SSL Forward Proxy session between itself and the client. This is an extension of the 2048-bit key support that was already available with SSL decryption. In previous releases, 2048-bit keys were supported in SSL Inbound Inspection sessions as well as in SSL Forward Proxy sessions between the firewall and the destination server. As part of the extended support for 2048-bit keys, the firewall will now by default dynamically choose the key size to use to establish SSL Forward Proxy sessions with clients, based on the key size used by the destination server. You can optionally configure a static key size for SSL Forward Proxy sessions between the firewall and clients regardless of the key size used by the destination server.

You can configure the setting under,

CLI:

  deviceconfig {

    setting {

      ssl-decrypt {

        fwd-proxy-server-cert-key-size {0 | 1024 | 2048};

      }

    }

  }


WebUI:


Device -> Setup -> Session -> Forward Proxy Server Certificate Settings

Hope this answers your query.

Thank You.

  • 3781 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks