This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Decryption: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY

mrkskhn
L1 Bithead

‎01-13-2020 02:48 AM

Hi paloalto community,

 

we're currently still testing ssl decryption and discovered a new error, which I can't google to find a solution.

 

If we're visiting the following site, we get an "ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY" error. Site: https://www.1erforum.de/

 

See attached our configuration and ssl information without decryption enabled.

 

Firmware and Specs:

PA 850 - FW 9.0.5

 

Settings:

2020-01-13 11_42_30-pa-1.png2020-01-13 11_42_39-pa-1.png

 

Decryption disabled:

2020-01-13 11_42_56-Anhängerkupplung M240i _ M140i.png

 

Decryption enabled:

2020-01-13 11_46_30-www.1erforum.de.png

3 people had this problem.
0 Likes Likes
36 REPLIES 36

user1234
L0 Member
In response to Sec101

‎12-10-2020 10:58 PM

Same issue for us also ....

0 Likes Likes

dwharam
L1 Bithead
In response to Nikolay-Matveev

‎04-06-2021 04:33 PM

This is what we also did.  So far, just a handful of sites.  As somebody else pointed out, this article is helpful https://tools.ietf.org/html/rfc7540

Kuhn_Andreas
L1 Bithead

‎07-23-2021 01:24 AM

Same issue here with this URL

 

https://svp.protectionone.de/ 

 

PA 220 and 3220 with PanOS 9.1.8 ... any solution ???

0 Likes Likes

Sec101
L4 Transporter

‎07-23-2021 05:45 AM

Solutions anyone?  Other than strip alpn?

0 Likes Likes

Remo
L7 Applicator
In response to Sec101

‎07-23-2021 12:56 PM

So far ... no

0 Likes Likes

Remo
L7 Applicator
In response to Kuhn_Andreas

‎07-23-2021 01:28 PM

For quick tls checks I often use https://www.ssllabs.com/ssltest/ .

So far I have seen the error in this topic only with servers that do not have a preference with the configured ciphersuites - like this webserver https://svp.protectionone.de/ . The tls 1.2 ciphersuites look like this on ssllabs:

Screenshot_20210723-220150_Chrome.jpg

So as far as I know when a browser connects directly to such a webserver it chooses the strongest ciphersuites. When paloalto connects to this webserver with tls1.2 (as 9.1 does not support tls1.3) I assume the order of ciphersuites that the firewall sends to the server is not "correct" for h/2. This means that the order in the client hello probably has not the stronges ones in the first places but then the first one is chosen from that client hello and this one is one of them which are not allowed for h/2. With servers that have a preference, they almost always prefer the strongest ones so the order in the client hello does not matter and the decryption works properly without this error.

With tls1.3 (supported in PAN-OS 10) the situation changes completely as there weak ciphers aren't even part of the specs. So when viewing again this example webserver, with tls1.3 it supports these ciphersuites:

Screenshot_20210723-222613_Chrome.jpg

The server still has no preference for the ciphersuites, but as all 3 of them are allowed for h/2 this isn't an issue when decrypting the connection with PAN-OS 10.

 

So as far as I see it, the solution would be to change the order of ciphersuites in the client hello and this problem would be gone in PAN-OS 9.1 ...

 

Alex-Chard
L0 Member

‎07-27-2021 04:58 PM

I have fixed this for some sites by removing SHA1 from the allowed auth algorithms.

Not exhaustively tested but works so far!

 

AlexChard_0-1627430309560.png

 

  • 51452 Views
  • 36 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks