This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

SSL Decryption for Chrome Browser

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption for Chrome Browser

Farzana
L4 Transporter

‎07-13-2017 09:41 PM

Hello,

 

Below is our Decryption Policy. Using latest Chrome version.

Security certificate used by the Palo is from the Windows domain PKI and is already implicitly trusted as this testing is from a domain connected Windows 10 device over Ethernet.

It is working fine for IE but in Chrome it is showing like this:

 

Decryption.jpg

 

 

SSLDecryption.jpg

 

If I set the URL Category of Computers and Internet information to no-decrypt the error stops for this web site but continues for others, including the main Palo support pages.

Any idea how to stop this?

 

0 Likes Likes
2 REPLIES 2

MohamedSharief
L4 Transporter

‎07-25-2017 01:10 AM

Hi,

 

Are you getting any decrypt-error end reason in traffic logs?

 

Can you use the service in the Security Rule as 'any' (in case you are using application-default).

 

Also you may block quic application as its mainly used by Chrome.

 

Regards,

Sharief

Regards,
Sharief

Farzana
L4 Transporter
In response to MohamedSharief

‎07-25-2017 03:48 PM

Thanks M.

 

We noticed that if the certificate used for forward proxy SSL is not SHA 256 then the Google Chrome browser will not behave. Our Windows PKI is still producing SHA 1 certificates and would need to be updated to be of any use for issuing these certs to the Palo.

 

Once the SHA 256 cert generated from the Palo is imported to the test PC’s then Google Chrome immediately sees it in the store and is happy to use this for SSL inspection.  A SHA1 cert from our Windows PKI does not show up in Chrome and is ignored for SSL decryption, which was the start of this issue.

 

It would seem that Google is on the fast track to make SHA 1 a bit of history, while IE11 is still happy to use SHA1 for security.

  • 2576 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks