SSL Decryption+ALPN not stripped: yandex.com not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

SSL Decryption+ALPN not stripped: yandex.com not working

L4 Transporter

Hi

 

I have a customer that wrote to me yesterday that if they remove the checkbox for Strip ALPN while having SSL decryption enabled, a few web sites such as yandex.com stop working.

I was able to reproduce this with my PA-3220 and PANOS 9.1 and also on my VM with PANOS 10, the result is ERR_HTTP2_PROTOCOL_ERROR in Edge browser. There do not appear to be any decrypt-error messages and in the traffic log it appears like a normal decrypted session.

I dug through the PCAP file, can see the chosen cipher and verified that it is indeed listed as available on firewall. Also counters do not show drops.

 

Does anyone have an idea what could cause this? Right now the customer has a decryption policy with Strip-ALPN enabled for these few sites.

 

Thanks,

Shai

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @ShaiW 

It seems you have figure it out by yourself.

Strip-ALPN will basically dowgrade HTTP/2 to HTTP/1.1 and if I understand you correctly your decryption profile is configured with max version TLS 1.2. It sounds like removing the "strip ALPN" will leave HTTP/2, but it is failing because your decryption does not support TLS 1.3.

 

It is better to configure your profile to use max version with "max" and set the min version to specific version

Astardzhiev_1-1641333464832.png

This will make sure that when new TLS version is supported by the PanOS, you don't have to update your configuration (like in this case)

View solution in original post

4 REPLIES 4

L4 Transporter

EDIT: This web site starts working if I change max version to TLS 1.3 (under decryption profile) and stops working when I set it at TLS 1.2. No other changes are made.

This feels like a specific web-site issue more than a firewall one.

 

Hi @ShaiW 

It seems you have figure it out by yourself.

Strip-ALPN will basically dowgrade HTTP/2 to HTTP/1.1 and if I understand you correctly your decryption profile is configured with max version TLS 1.2. It sounds like removing the "strip ALPN" will leave HTTP/2, but it is failing because your decryption does not support TLS 1.3.

 

It is better to configure your profile to use max version with "max" and set the min version to specific version

Astardzhiev_1-1641333464832.png

This will make sure that when new TLS version is supported by the PanOS, you don't have to update your configuration (like in this case)

Hi

 

The customer is still on PAN-OS 9 which does not support TLS 1.3 and all other web sites work fine. Its just yandex.com that does not.

I am pretty sure it is not firewall related, more like a web-site issue.

 

Shai

Hi,

Use with caution- at 3430 pair the workaround Min=TLS1.2 and Max=Max crashed firewall. Used PanOS 10.2.1

For the issue with ERR_HTTP2_PROTOCOL_ERROR the config change fixed it but just for a minute between commiting the change and till the FW crashed into maint mode.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!