This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

SSL Decryption: SHA1-Intermediate certificate gets decrypted, even if not allowed to

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption: SHA1-Intermediate certificate gets decrypted, even if not allowed to

mrkskhn
L1 Bithead

‎12-30-2019 05:22 AM

Hi paloalto community,

 

I tested my new ssl decryption rules against the badssl dashboard ( https://badssl.com/dashboard/ ).

So far it looks good. Unfortunately the check for sha1-intermediate doesn’t pass. Our PA-850 (Firmware 9.0.5) does create a secure connection to this site for the client ( https://sha1-intermediate.badssl.com/ ), even I configured to not support SHA1.

 

Here is my configuration:

2019-12-30 14_17_20-pa-1.png2019-12-30 14_17_08-pa-1.png2019-12-30 14_16_37-pa-1.png

Is there something I forgot to configure?

 

Thanks and best regards,

Markus

1 person had this problem.
0 Likes Likes
4 REPLIES 4

jdelio
L7 Applicator

‎12-31-2019 03:11 PM

This is odd that it would be happening with PAN-OS 9.0.5. As anything like that should have been cleared up. 

There was a prior discussion talking about similar things:

https://live.paloaltonetworks.com/t5/General-Topics/PA-3020-SSL-Decryption-Query/m-p/280993#M75902

 

But there is no real answer as to why.. 

 

What browsers? does it matter if you use Edge, Firefox or Chrome?

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
0 Likes Likes

mrkskhn
L1 Bithead
In response to jdelio

‎01-06-2020 12:36 AM

Same with different browsers 

0 Likes Likes

mrkskhn
L1 Bithead
In response to mrkskhn

‎01-15-2020 08:14 AM

Some more trouble with decryption:

 

https://www.lobster.de/

 

This page gets an untrusted paloalto cert, even it's a valid certificate? Can someone confirm this on his paloalto decryption setup?

0 Likes Likes

Remo
L7 Applicator
In response to mrkskhn

‎01-15-2020 09:05 AM - edited ‎01-15-2020 09:08 AM

Hi @mrkskhn 

At least this website is configured not correctly. The webserver does not send the intemediate certificate in the TLS handshake. Without this intermediate certificate the firewall cannot verify if this certificate is trusted / it is not able to check the certificate path.

You have not 3 possibilities with your current configuration:

  1. Import the intermediate cert of this website manually onto your firewall and mark it as trusted root
  2. Create a decryption rule with another decryption profile where you allow untrusted issuers and add a custom URL category to that rule where you add websites like this one
  3. Try to contact the operator of the website to have them fix the issue

And yes, because paloalto firewalls don't have the intermediate certs locally the "problem" you see will be on all palo fws.

  • 5039 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks