SSL decryption issues with latest Firefox

Reply
Highlighted
L4 Transporter

Take a look at 1166216 – FF38, Secure Connection Failed (sec_error_bad_der) on internal certificates

Quote from    David Keeler 

One common issue appears to be the encoding of the RSA modulus. If the highest bit of an integer is set, the proper DER encoding requires a leading zero byte to indicate that the integer is a positive value, not negative.

This actually seems to confirm that PA generated certificates are faulty.

I have opened a case with our reseller. They are now trying to recreate the issue. If they can recreate, they will escalate to Palo Alto support.

Highlighted
L3 Networker

This issue isn't present on 6.0.9 or 6.1.4.

I opened a case with PAN Support while we were on 5.0.14 and had this issue, and all they kept coming back to me was that 5.0.X doesn't support TLS1.2 and sent me to a link of their support cipher pages. I told them it wasn't related to that as I forced Firefox to only use TLS1.1 and disabled the unsupported ciphers and was still getting the same problem.

I was getting no where.  In the end, we needed to move to 6.x anyway to use some of the new features.

Highlighted
L4 Transporter

I went trough the bugfixes and found these that may be related:

  • Release notes 6.0.7: 66635 Enabling SSL Forward Proxy decryption with a self-signed certificate could sometimes cause the certificate presented to the client to have a negative serial number, causing an error on the client.
  • 6.0.3: 61696 When using SSL Forward Proxy decryption with self-signed certificates with Firefox, an error was seen from Firefox regarding conflicting certificate serial numbers: sec_error_reused_issuer_and_serial.
  • 6.0.0: 59030 Certificates generated during SSL decryption were not adhering to the ASN.1 format. This was leading to the SSL connection being dropped by some servers.

Especially the last one...

Upgrade to 6.0.10 is planned next week, so fingers crossed.

Highlighted
L4 Transporter

With the upgrade and after generating completely new certificates (root CA and client certificate are self signed in our case; server certificate is a public one), the issue seems to be resolved.

Our reseller helpdesk however did not confirm if it had anything to do with the listed bugfixes.

We still have issues with certain https websites, where Firefox throws the error

Secure Connection Failed

The connection to the server was reset while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

    Please contact the website owners to inform them of this problem.

Example url: https://support.office.com/

Highlighted
L4 Transporter

This issue still exists in PAN-OS 7.0.0 and Firefox v39. I tried opening https://support.office.com and the firewall responsds with a FIN,ACK immediately:

PA_SSL_Issue .png

The internal Root-CA certificate is imported to the Firefox Trusted CA store. The issue doesn't appear when loading the page with IE11 or Chrome43.

Highlighted
L4 Transporter

how is your decryption certificate encrypted ?

edit: let me clarify

I've been told since 6.1.4 you can encrypt the cert with AES256 and that should solve the Firefox issue.


But you'd have to generate a new cert of course.

Highlighted
L3 Networker

Has this been verified?

Highlighted
L4 Transporter

I've been on 6.1.7 for a while now. Been testing internally with newly generated certificate. So far I have not encountered the issue anymore in FF.

 

But PA support also said another fix was made in 6.1.8, issue id 81830.

 

I'll upgrade to 6.1.9 soon. If problem stays away, I'll re-enable decryption for our users.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!