This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL decryption and Http redirection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL decryption and Http redirection

sunilsadanandan
L3 Networker

‎08-26-2011 07:26 AM

Hi,

I am testing SSL decryption and it seems to work fine  except when Http redirection is involved. E.g. when you try to connect to Https://gmail.com , google redirects you to https://www.google.com and it gives me a certificate error because of the hostname in the cert does (www.google.com in this case)not match with the hostname that you are connecting to (gmail.com originally).  Is there some way of working around this ? I am using PANOS 4.0.4.

Regards,

Sunil

0 Likes Likes
10 REPLIES 10

mike_in_redding
L0 Member

‎10-31-2011 02:19 PM

Hi Sunil did you ever find out the answer to your question?

I'm running into the same issue on a project I'm working on due to a coworkers temporary incapacitation. If it go to https://www.gmail.com I will get an error saying The security certificate presented by this website was issued for a different website’s address. If I view the certificate I see that by my PA-2020(which is a trusted root) however the certificate has been issued to mail.google.com hence the error because the browser is expecting to see a certificate for www.gmail.com. Figured I'd check the forums before opening a case

Mike

0 Likes Likes

minow
L4 Transporter
In response to mike_in_redding

‎05-16-2012 03:22 AM

Hey

did you solved this issue?

we are running 4.1.6 and have simmilar poblems with gmail when it is redirected to the https url

0 Likes Likes

essnet
L4 Transporter
In response to minow

‎05-16-2012 06:36 AM

SSL decryption has been running fine for most website but it's true https://www.gmail.com is one of the few that is creating troubles.

0 Likes Likes

minow
L4 Transporter
In response to essnet

‎05-16-2012 07:39 AM

can you tell me the reason ?

thank you

0 Likes Likes

essnet
L4 Transporter
In response to minow

‎05-16-2012 08:02 AM

My opinion is the following : www.gmail.com is hosted on same server than www.google.com , to achieve that Google didn't create (for once) a multi SAN SSL certificate but relies on TLSv1 feature that allows Client and Server to negociate which certificate to use.

If client asks for www.gmail.com, Server will present gmail.com certificate, if Client asks mail.google.com during TLS negociation then Server will present mail.google.com certificate.

As PA seems to fails explicitly on those I have several theories:

  • PA doesn't support TLS certificate negociation when you ask it to decrypt so it will fallback to default presented certificate: mail.google.com.
  • PA caches which certificate is associated to an IP (for performance benefits) and will reuse it next time you connect, whatever you are trying to negociate (until cache expires)
  • A mix of the above theories.
0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks