SSL Decryption issue (wrong certificate)

TranceforLife · ‎02-06-2017

Hi All,

Having SSL Decryption issue with one of the websites at the moment (https://wiki.freeradius.org/Home)

So testing without decryption and checking certs chain:

Can see root CA on Palo:

So all looks good. Implementing SSL Decryption (test version only) with two certs generated on PA one for forward trust another is for forward untrust:

Doing a test with some websites reviewing a forward trust cert. As an example bbc.co.uk:

l didn't import cert to the test PC as want to confirm first everything is working fine.

Done another test with the websites which allow decryption all looks good correct cert is forwarded. But for the website https://wiki.freeradius.org/Home getting the wrong cert which is forward untrust:

Don't know why. Cache is cleared, and the new cert is recreated for untrust but still the same.

PA-5050 Active/Active PAN-OS 7.1.5

Am l missing something simple?

Regards,

Myky

Gertjan-HFG · ‎02-06-2017

Check the results there is your answer:

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org&hideResults=on

View solution in original post

jvalentine · ‎02-06-2017

I'm not certain, but this might be caused by an incomplete certificate chain (per ssllabs.com):

The traffic log complains about cert-validation as well:

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org

View solution in original post

Gertjan-HFG · ‎02-06-2017

Check the results there is your answer:

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org&hideResults=on

jvalentine · ‎02-06-2017

I'm not certain, but this might be caused by an incomplete certificate chain (per ssllabs.com):

The traffic log complains about cert-validation as well:

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.freeradius.org

TranceforLife · ‎02-06-2017

@jvalentine @Gertjan-HFG thanks all. Looks like l missing something simple. Why the web-browser is not complaining without ssl decryption in place?

Gertjan-HFG · ‎02-06-2017

Its because you use IE.

IE wil try to dowload the missing certificates in the chain.

Try firefox and it will complain.

TranceforLife · ‎02-06-2017

@Gertjan-HFG ok with firefox l am not even able to open this website. Chrome also is not complaining:

I am new to SSL so if you can let me know what is actually happening with the server cert l will appreciate:0

Thx,

Myky

Gertjan-HFG · ‎02-06-2017

Its not a problem of the PA or your decryption settings.

The website certificate is incorrect configured, the intermediate certificates are missing.

Thats why the PA sends the "not trusted" certificate to your browser.

TranceforLife · ‎02-06-2017

Hi @Gertjan-HFG

Ok cool as you said before IE and Chrome will ignore this, right? As long as it has a root CA.

Thx,

Myky

Gertjan-HFG · ‎02-06-2017

Yes, Chrome(uses the windows cert store) and IE will try to download the intermediate certs as long as they have a valid root CA in their certificate store.

TranceforLife · ‎02-06-2017

Cool l have learned something new today. Thanks/ Last thing Do you have any good article explaining this?

Thx,

Myky

Gertjan-HFG · ‎02-06-2017

Your welcome.

I don't have documentation on this issue specific. ( its all in my head 😉 )

TranceforLife · ‎02-07-2017

To fix the issue for this particular website l did import a COMODORSADomainValidationSecureServerCA.crt to the box:

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Import-the-Intermediate-CA-on-the-Fi...

Gertjan-HFG · ‎02-07-2017

In my opinion is importing the intermediate certificate in this situation wrong.

The behaviour was as expected and correct.

With this "fix", you are covering a warning that the site is misconfigured.

TranceforLife · ‎02-07-2017

I do agree with you as really it is a "masquerading" of the problem.

Unlock your full community experience!

SSL Decryption issue (wrong certificate)

SSL Decryption issue (wrong certificate)

Show your appreciation!