SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

L4 Transporter

Hello,

I'm running a cluster of PA (4.0.8) with SSL Decryption configured.

SSL Decryption is not able to decrypt SSL traffic if the HTTPS session is using TLS 1.1 or TLS 1.2.

Test with www.gmail.com   

Chrome : OK (see gmail application in the traffic log)

Firefox : idem

IE 8 or 9 with TLS 1.1 or TLS 1.2 DISABLED : idem

IE 8 or 9 with TLS 1.1 or TLS 1.2 ENABLED : see only SSL application

Is it solved in 4.1.6 (I plan to upgrade my cluster with this release) ??

Regards,

Hedi

21 REPLIES 21

Hello,

5.0 doesn't bring better TLS support but it's bringing more control about actions when decryption fails or certificates is not trusted.

Decryption is no go for me until 5.1  (if they put it in 5.1)

Not applicable

Any update from PAN?

I'm running PAN 5.0.2.  Still not working.

Palo Alto Networks Guru

Hello,

we currently do not support decryption of TLS1.2. TLS 1.2 hasn't be broadly supported by browsers until more or less practical TLS 1.0 and block cipher related attacks where demonstrated by cryptographers as proof of concept code. We do see a slow increase of TLS 1.2 support in major browsers lately. Especially Google Chrome and Apple Safari support in their standard configuration now. Since PANOS 5.0, if we detect a TLS1.1 or TLS1.2 session, we first try to downgrade it to TLS1.0 and decrypt. If that fails, we won't decrypt the session and either drop the session or allow it encrypted based upon your policy settings.

View solution in original post

Why not implement support for TLS 1.1 and 1.2?

I really dont get it...

L3 Networker

For now, TLS 1.1 and 1.2 Support in SSL decryption? Anybody knows about that?

Hello,

According to my local SE, TLS 1.2 decryption should be supported in release train 6.x...

Regards,

HA

Would this be valid for the whole range from PA-200 to PA-5000 or just specific models?

Like will PA-2000 and PA-4000 be exluded?

L4 Transporter

Hello, some news about tls 1.2 which belong to PAN-OS 6.0 previous releases of PAN-OS only supported TLS version 1.1. This release provides the Palo Alto Networks firewall with the ability to decrypt inbound sessions and forward proxy sessions that negotiate with TLS 1.2. With this release TLS 1.2 is enabled by default and cannot be disabled. This implementation includes the following details:  TLS 1.2 is supported as defined by RFC 5246.  The following additional cipher suites are supported: TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_256_CBC_SHA256.  Newer unsupported versions of TLS (1.3+) will be downgraded to 1.2 when used with the PAN-OS. without any limitation for specific models

Unfortunately  I have tested SSL Decryption with Site that supports TLS1.2 and PANOS 6.0.10 with the latest version of firefox (v38.0.5) and I get "Secure Connection Failed" because firefox 38 does not failback from TLS version 1.2 to TLS version 1.1 as mentioned in the following https://support.mozilla.org/en-US/kb/tls-error-reports

since TLS1.1 is considered insecure TLS version by mozilla foundation

It seems that the problem appears only if the Cipher suite of the site is TLS_RSA_WITH_AES_256_CBC_SHA256 and SSL Decryption with TLS1.2. This does not apply for Cipher Suite TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS1.2/

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!