SSL Decryption: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

Reply
Highlighted
L1 Bithead

SSL Decryption: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

Hi paloalto community,

 

we're currently still testing ssl decryption and discovered a new error, which I can't google to find a solution.

 

If we're visiting the following site, we get an "ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY" error. Site: https://www.1erforum.de/

 

See attached our configuration and ssl information without decryption enabled.

 

Firmware and Specs:

PA 850 - FW 9.0.5

 

Settings:

2020-01-13 11_42_30-pa-1.png2020-01-13 11_42_39-pa-1.png

 

Decryption disabled:

2020-01-13 11_42_56-Anhängerkupplung M240i _ M140i.png

 

Decryption enabled:

2020-01-13 11_46_30-www.1erforum.de.png

Highlighted
Cyber Elite

@mrkskhn,

Might want to take a look at what Cipher suite the connection is attempting to make. HTTP/2 and TLS1.2 can get weird on what cipher suites do/don't cause an error. 

Highlighted
L1 Bithead

1erforum.de is using:

The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM.

 

di.fm (same error here too) is using:

The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM.

 

At this point ssl decryption gets pointless, since a lot of websites are using this combination. Looks like a firmware issue?

Highlighted
Cyber Elite

@mrkskhn,

The reason that I asked what ciphers it's using is simply due to a lot of websites not actually enabling HTTP/2 correctly, but those all check out and should work perfectly fine. I'm not sure that it's actually a firmware issue, I can check to see if I run into the same issue this evening though. 

Highlighted
L1 Bithead

That would be great. i'm looking forward to hearing from you.

Highlighted
Cyber Elite

@mrkskhn,

This doesn't appear to be a software bug, the error is present in 9.0.4 and 9.1.0 as well; it also isn't an issue with the cipher suites, we can decrypt other sites perfectly fine using the same ciphers. It does however appear to be very specific to Chromium based browsers (Chrome, new Edge) as Firefox loads the site without issue. 

 

I can't tell how this is loading in Chrome when you attempt to decrypt it, but on Firefox it uses the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher when you decrypt it when I copy the same decryption profile settings you have listed. Might want to reach out to support and see if they can point you in the right direction, but they might just call this a browser issue. 

 

Highlighted
L2 Linker

I have the same issue on 9.1.0 VM-50

Highlighted
L2 Linker

I have firefox 71.0 and have the same issue. The error just appears differently. The only browser is working correctly is an old IE in Win7.

 

From the firefox:

 

Your connection is not secure

The website tried to negotiate an inadequate level of security.

www.di.fm uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.

Error code: NS_ERROR_NET_INADEQUATE_SECURITY

Highlighted
Cyber Elite

@ovel,

I would expect this site to have issues; it defaults to using the TLS_RSA_WITH_AES_256_CBC_SHA cipher which is an inadequate cipher for HTTP/2 

Highlighted
L2 Linker

don't know, it might sound silly, but if IE has managed to negotiate with the site and is able to show its content, why PA can't do the same and use a compatible protocol to show the site content?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!