This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL decryption fails

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL decryption fails

montgomery
L0 Member

‎08-15-2013 06:37 AM

We are testing SSL decryption on our PA at the moment. We have found a site that could not be decrypted: https://posteo.de/

Has anyone of you an idea why the decryption fails for that site?

And how could I troubleshoot such problems? Because the normal log does not show any problem, but the browser shows an error message.

Thank you!

Labels:
5 REPLIES 5

kprakash
L5 Sessionator

‎08-15-2013 07:04 AM

Good Morning,

I just checked the certificate for https://posteo.de/ and it is signed by StartCom. It also has an intermediate certificate as shown.

Startcom.JPG

Can you verify if Startcom is part of the Default Trusted Certificate Authorities?

Startcom.JPG

Are you being presented with a forward Untrust Certificate? Also are we "Blocking sessions with untrusted issuers" ?

Startcom.JPG

BR,

Karthik

hag
L1 Bithead
In response to kprakash

‎08-15-2013 07:45 AM

Hi Karthik,

Can you verify if Startcom is part of the Default Trusted Certificate Authorities?

- Yes it is part of the default trusted certificate authorities


Are you being presented with a forward Untrust Certificate?

- No certificate is shown. IE just shows "This page cannot be displayed"


Also are we "Blocking sessions with untrusted issuers" ?

- No.


Thanks!


0 Likes Likes

kprakash
L5 Sessionator
In response to hag

‎08-15-2013 08:22 AM

From what you have stated, it looks like we are either not seeing the entire TCP handshake completing for the SSL traffic, or there are some parameters on the Server Certificate that the PANFW doesnt like. If you set the action to No-Decrypt under the Decryption profile, does the webpage load?

Best regards,

Karthik RP

0 Likes Likes

hag
L1 Bithead
In response to kprakash

‎08-15-2013 08:35 AM

Yes when we do no decrypt the page is loading as expected.

0 Likes Likes

kprakash
L5 Sessionator
In response to hag

‎08-15-2013 08:59 AM

It failed on our end as well, although we decrypted the traffic.

posteo.JPG

posteo-2.JPG

posteo-3.JPG

  • 3858 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks