SSL Decryption Woes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption Woes

L1 Bithead

Hi,

 

I am not able to get to https://platinum.netnames.com/ with SSL decryption on, on PAN 7.0.1 / PA-3020 (IE11 / FF40 == TLS failure). Also, speed seems capped to 3Mbit/s with some CDNs (S3 AWS). Am I missing something?

 

thanks.

13 REPLIES 13

L5 Sessionator

The website "https://platinum.netnames.com" is using unsupported cipher suite (TLS_ECDHE_RSA is not supported.) that's why you are having issues while opening that website. Refer to following documnet

 

https://live.paloaltonetworks.com/t5/Articles/SSL-Decryption-Not-Working-due-to-Unsupported-Cipher-S...

 

L7 Applicator

Hi,

 

This site only supporty ciphersuites with forward secrecy (ciphers with ECDHE or DHE). Those ciphers are not supported by the ssl decryption feature of paloalto.

 

These are the supported ciphers of this website:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

source: https://www.ssllabs.com/ssltest/analyze.html?d=platinum.netnames.com

 

Hope this helps.

 

Regards,

Remo

L1 Bithead

That's what I suspected, however I don't understand why can't it be handled in a graceful manner (aka simply not decrypting) ? It is not very convenient to whitelist on incident (neither it is practical). It would be nice if PaloAlto could maintain a category of such sites on their own so we just have to exclude it from decryption and everybody benefits from it.

Is anyone using SSL Decrypt in the field with a lot of URL categories?

 

thanks for your input.

Some server uses non standard cipher suites that  why PA cannot decrypt them. However PAOS 7.0 can decrypt more traffic than previous versions.

 

Regards,

Pankaj Kumar

I totally feel your pain and agree...I've actually got a case open right now on this very issue.  The amount of TLS1.2 sites that fail to load because of unsupported cipher suites the palo doesn't support is kinda crazy.

 

Then compounding the issue is the "Page can't be disaplayed" error users get in IE.  At least Chrome give users a "Connection Closed Error" which does indicate something actually happened.

 

On your decryption profile you should be able to allow connection to SSL sites with "Unsupported ciphers" which I've actually got set to allow, but the 5060 still isn't allowing the connection.  So TAC is investigating.

FWIW I am the only user of the solution (demo unit), and I am thinking of turning off SSL decryption given the number of issues it causes. I can't imagine the number of tickets I would get with 1K+ users on it.

How is TAC dealing with these issues from your experience?

Thanks!

Oddly enough, it's still worth it.

 

Not all sites run TLS1.2.  There have been plenty of cases where decrypted content has enabled the threat service to find malware.

 

There are also a fair amount of sites running TLS1.2 that the device does support FB, Youtube, Webmail, as well as other governmental websites.

As far as TAC support on this TLS issue.  I've only had the case open for about 12 hours.  We'll see how things progress.

I've got about 1k users and I am decrypting all traffic. Currently running 7.0.1 on a pair of 3050s. 7.x has definitely improved the situation as they fixed a bug that prevented many pages from loading even with the unsupported cipher bypass enabled. You still run into situations like the one you described, but not nearly as many as before. I generally have 2-3 unblock requests per week so it is managable for now. I expect that number to go up in the future as more sites begin using cipher suites that the Palos can't handle. I'm hoping Palo is putting time into supporting more suites as decryption is one of the foundations of their app-id.

 

Still don't have an answer from TAC.

Slightly OT, what kind of traffic do you manage to require 3050s instead of 3020s for 1K users?

L6 Presenter

Bug ID 83524 -

 

Has been documented for sites with unsupported cipher suites still not being accessible when configured to not block unsupported cipher suites.

 

The current work around is to bypass URLs as they come.  As of this date 8 Sep 15, this bug still isn't resolved in 7.0.2, though operability with other ciphers might be better the bug isn't officially resolved in 7.0.2.

I asked a Palo Alto representative about this a few months back, and support for TLS_ECDHE_RSA and TLS_DHE_RSA was planned to be implemented sometime in the first half of 2016.

 

Could be coming in PANOS 8?

  • 6677 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!