I'm having SSL decryption issues with the latest versions of Firefox.
In Firefox i get following error when visiting a https site:
Secure Connection Failed
An error occurred during a connection to live.paloaltonetworks.com. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Seems to be related to how Firefox handles certificates, requiring them to be more secure (number of bits and encryption algorithm), but I haven't found the exact requirements yet.
I can generate and deploy a new certificate, but I'm not sure what will give me one Firefox will accept.
Any thoughts ?
Also seems related to the Issuer CN in the certificate (see 1153204 – Firefox doesn't connect to https://www.deutschepost.de/ because its issuer certificate con... )
In our case it contains the IP adres of the firewall, where Firefox seems to expect a dns name.
I have not been able to confirm this yet...
Firefox 37 and earlier are not affected.
I have not tried a newer beta yet.
Certificate is one generated with PA. It only contains a handful of default attributes (organization, email ...).
Replacing the IP with a valid dns entry did not resolve the issue.
One would call it a Firefox issue... But I guess it's the way the PA generates the certificate. Would be good to know if this issue is resolved with newer PANOS version or to have a workaround.
What version of Pan-OS are you using?
Also, does Chrome or Internet Explorer show the same error while the firewall is attempting to decrypt it?
It doesn't seem to affect IE or Chrome, but as of Firefox 38.01 we are also seeing the issue. Specifically for us its affecting https://accounts.google.com.
I bet you are correct, that this is happening due to Firefox handing the security/certificates differently than IE and Chrome.
This also has to deal with how PAN is decrypting and encrypting the traffic differently than what Firefox is expecting, thus causing this issue.
I would recommend opening a case with TAC - PAN Support, if you do not already have one to get this addressed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!