For details on cookie usage on our site, read our Privacy Policy
SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2
- LIVEcommunity
- Discussions
- General Topics
- Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-19-2012 02:40 AM
Hello,
I'm running a cluster of PA (4.0.8) with SSL Decryption configured.
SSL Decryption is not able to decrypt SSL traffic if the HTTPS session is using TLS 1.1 or TLS 1.2.
Test with www.gmail.com
Chrome : OK (see gmail application in the traffic log)
Firefox : idem
IE 8 or 9 with TLS 1.1 or TLS 1.2 DISABLED : idem
IE 8 or 9 with TLS 1.1 or TLS 1.2 ENABLED : see only SSL application
Is it solved in 4.1.6 (I plan to upgrade my cluster with this release) ??
Regards,
Hedi
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-30-2013 02:22 PM
Hello,
we currently do not support decryption of TLS1.2. TLS 1.2 hasn't be broadly supported by browsers until more or less practical TLS 1.0 and block cipher related attacks where demonstrated by cryptographers as proof of concept code. We do see a slow increase of TLS 1.2 support in major browsers lately. Especially Google Chrome and Apple Safari support in their standard configuration now. Since PANOS 5.0, if we detect a TLS1.1 or TLS1.2 session, we first try to downgrade it to TLS1.0 and decrypt. If that fails, we won't decrypt the session and either drop the session or allow it encrypted based upon your policy settings.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-19-2012 08:41 AM
Hello,
First, thanks for your answer.
The document only mention SSL2.0, 3.0 and TLS 1.0. No infos about TLS 1.1 or TLS 1.2...
In my case, we don't have any problem with the certificate itself because the SSL interception is not doing it's job...
I will upgrade 4.1.6 and keep you inform if it's solved or not...
Regards,
Hedi
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-20-2012 05:15 AM
Hello all,
After upgrading to 4.1.6, I can confirm PA is NOT ABLE to decrypt TLS 1.1 or TLS1.2.
I'm waiting an OFFICIAL answer from PA now : When will it be supported ???
Regards,
Hedi
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-23-2012 07:45 AM
Hi,
as far as i know later Versions of TLS are currently not supported.
This Information was from PanOS 4.0.x
but since i didn't see anything in the Release Notes of 4.1.x it should be still correct.
Regards
Marco
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-07-2012 02:04 AM
Hello,
I totally second your claims. In addition TLS 1.0 is partially finished : it lacks TLS Extensions, which make for example https://www.gmail.com to fail decryption.
Regards
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-22-2012 01:17 AM
According to Chrome dev team, newest version has TLS 1.1 disabled because of issues with IIS : Chrome Releases: Stable Channel Update
Thank you Microsoft, you're saving us for once :smileysilly:
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-22-2012 01:59 AM
Hello,
This is answer is receiver from my local SE.
"TLS v1.1 should be supported as of v4.0.x.
I found a note that if diffie hellman is used in the key establishment we can’t decrypt."
"v1.2 seems to be targeted for the next major release (5.x)."
Regards,
Hedi
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-22-2012 02:04 AM
Hello,
I have been in relation for months with product and support managers, it was said many times that 1.1 is not supported and 1.0 is partially (lack of critical extensions).
Strange we don't have same informations :smileygrin:
Anyway, I am always running my own tests and found out that above SSLv2, compatibility is poor.
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-25-2012 06:23 PM
Hello,
Would TLS 1.1 and 1.2 be decrypted by PANOS 5.0 for now?
TLS 1.1 with differ hellman could no be decrypted on PANOS 5.0 also?
Thanks.
Regards.
Roh
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-28-2012 09:12 AM
Hello,
5.0 doesn't bring better TLS support but it's bringing more control about actions when decryption fails or certificates is not trusted.
Decryption is no go for me until 5.1 (if they put it in 5.1)
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-18-2013 09:56 AM
I'm running PAN 5.0.2. Still not working.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-30-2013 02:22 PM
Hello,
we currently do not support decryption of TLS1.2. TLS 1.2 hasn't be broadly supported by browsers until more or less practical TLS 1.0 and block cipher related attacks where demonstrated by cryptographers as proof of concept code. We do see a slow increase of TLS 1.2 support in major browsers lately. Especially Google Chrome and Apple Safari support in their standard configuration now. Since PANOS 5.0, if we detect a TLS1.1 or TLS1.2 session, we first try to downgrade it to TLS1.0 and decrypt. If that fails, we won't decrypt the session and either drop the session or allow it encrypted based upon your policy settings.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-01-2013 12:38 PM
Why not implement support for TLS 1.1 and 1.2?
I really dont get it...
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
- Cortex XDR Pro - 8.2.0.46438 - Agents Disconnected - service state "stopping" how to monitor that? in Cortex XDR Discussions
- Cortex XDR VM Broker Cluster and External Load Balancer in Cortex XDR Discussions
- Setting Up Double NAT over a site-to-site VPN in General Topics
- Cloud Identity Engine - Multi Auth Profile in Prisma Access Discussions
- BGP failover not working as expected in General Topics
