SSL Decryption: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

mrkskhn · ‎01-13-2020

Hi paloalto community,

we're currently still testing ssl decryption and discovered a new error, which I can't google to find a solution.

If we're visiting the following site, we get an "ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY" error. Site: https://www.1erforum.de/

See attached our configuration and ssl information without decryption enabled.

Firmware and Specs:

PA 850 - FW 9.0.5

Settings:

2020-01-13 11_42_30-pa-1.png 2020-01-13 11_42_39-pa-1.png

Decryption disabled:

2020-01-13 11_42_56-Anhängerkupplung M240i _ M140i.png

Decryption enabled:

2020-01-13 11_46_30-www.1erforum.de.png

BPry · ‎01-14-2020

@mrkskhn,

Might want to take a look at what Cipher suite the connection is attempting to make. HTTP/2 and TLS1.2 can get weird on what cipher suites do/don't cause an error.

mrkskhn · ‎01-15-2020

1erforum.de is using:

The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM.

di.fm (same error here too) is using:

The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM.

At this point ssl decryption gets pointless, since a lot of websites are using this combination. Looks like a firmware issue?

BPry · ‎01-15-2020

@mrkskhn,

The reason that I asked what ciphers it's using is simply due to a lot of websites not actually enabling HTTP/2 correctly, but those all check out and should work perfectly fine. I'm not sure that it's actually a firmware issue, I can check to see if I run into the same issue this evening though.

mrkskhn · ‎01-16-2020

That would be great. i'm looking forward to hearing from you.

BPry · ‎01-16-2020

@mrkskhn,

This doesn't appear to be a software bug, the error is present in 9.0.4 and 9.1.0 as well; it also isn't an issue with the cipher suites, we can decrypt other sites perfectly fine using the same ciphers. It does however appear to be very specific to Chromium based browsers (Chrome, new Edge) as Firefox loads the site without issue.

I can't tell how this is loading in Chrome when you attempt to decrypt it, but on Firefox it uses the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher when you decrypt it when I copy the same decryption profile settings you have listed. Might want to reach out to support and see if they can point you in the right direction, but they might just call this a browser issue.

ovel · ‎01-17-2020

I have the same issue on 9.1.0 VM-50

ovel · ‎01-17-2020

I have firefox 71.0 and have the same issue. The error just appears differently. The only browser is working correctly is an old IE in Win7.

From the firefox:

Your connection is not secure

The website tried to negotiate an inadequate level of security.

www.di.fm uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.

Error code: NS_ERROR_NET_INADEQUATE_SECURITY

BPry · ‎01-17-2020

@ovel,

I would expect this site to have issues; it defaults to using the TLS_RSA_WITH_AES_256_CBC_SHA cipher which is an inadequate cipher for HTTP/2

ovel · ‎01-17-2020

don't know, it might sound silly, but if IE has managed to negotiate with the site and is able to show its content, why PA can't do the same and use a compatible protocol to show the site content?

SSL Decryption: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY