SSL decryption fails

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL decryption fails

L0 Member

We are testing SSL decryption on our PA at the moment. We have found a site that could not be decrypted: https://posteo.de/

Has anyone of you an idea why the decryption fails for that site?

And how could I troubleshoot such problems? Because the normal log does not show any problem, but the browser shows an error message.

Thank you!

5 REPLIES 5

L5 Sessionator

Good Morning,

I just checked the certificate for https://posteo.de/ and it is signed by StartCom. It also has an intermediate certificate as shown.

Startcom.JPG

Can you verify if Startcom is part of the Default Trusted Certificate Authorities?

Startcom.JPG

Are you being presented with a forward Untrust Certificate? Also are we "Blocking sessions with untrusted issuers" ?

Startcom.JPG

BR,

Karthik

Hi Karthik,

Can you verify if Startcom is part of the Default Trusted Certificate Authorities?

- Yes it is part of the default trusted certificate authorities


Are you being presented with a forward Untrust Certificate?

- No certificate is shown. IE just shows "This page cannot be displayed"


Also are we "Blocking sessions with untrusted issuers" ?

- No.


Thanks!


From what you have stated, it looks like we are either not seeing the entire TCP handshake completing for the SSL traffic, or there are some parameters on the Server Certificate that the PANFW doesnt like. If you set the action to No-Decrypt under the Decryption profile, does the webpage load?

Best regards,

Karthik RP

Yes when we do no decrypt the page is loading as expected.

It failed on our end as well, although we decrypted the traffic.

posteo.JPG

posteo-2.JPG

posteo-3.JPG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!