SSL decryption inbound issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL decryption inbound issue

L2 Linker

We've been using SSL decryption inbound for a while. In order to decrypt traffic based on DHE and ECDHE ciphers, we moved to PAN-OS 8.0. On 7.1.10, traffic with those ciphers were not decrypted but passed through. Now, on 8.0.6, we see drops.

 

The decryption profile sets TLSv1.0 only as protocol, but we allow other protocol versions and ciphers (block unchecked for unsupported versions and chiper suites).

 

When the decryption policy is enabled, requests from Firefox v.59 (Windows, Linux and Android) get an SSL_ERROR_ILLEGAL_PARAMETER_ERROR.

 

I couldn't find info from Paloalto describing those errors. They say when decryption is not supported, session is not decrypted and passed through the firewall, as metioned here:

https://live.paloaltonetworks.com/t5/PSIRT-Articles/Safely-inspecting-SSL-transactions/ta-p/148517

https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Cipher-suite-enforcement-in-d...

 

Briefing, decryption policy enabled: we get errors. Decryption policy disabled: everything works fine.

 

Am I confused or this is the expected behaviour?

7 REPLIES 7

Cyber Elite
Cyber Elite

@ACortes,

Can you post how your decryption profile is actually configured. Part of your question really doesn't work together; you are only allowing TLSv1.0, but you also say that you are allowing other protocols? 

Well. This is the profile. I only want to decrypt TLSv1.0. Other traffic is supposed to be allowed without being decrypted, or I may have misunderstood how inbound inspection works.

 

 

profile-1.JPG

 

 

profile-2.JPG

 

When the issue happens, the client try to negotiate TLSv1.2 and something goes wrong.

 

This is captured on the FW, at firewall stage:

pcap-1-client-hello.png

 

pcap-2-server-hello.png

 

And this is captured from the clientside:

 

pcap-3-clientside.PNG

After opening a case, a workaround has been supplied: "Enabling TLSv1.2 on the profile, it works properly". Anyway, that's not the point. Because traffic that can not be decrypted should be allowed as SSL, isn't it? 

 

If I don't want to decrypt nor block sessions based on TLSv1.1 or TLSv1.2, why are they being blocked?

 

@ACortes

If connections from specific clients are blocked, are these connections blocked permanently or does it work when you reload the website?

Permanently.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!