SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Decryption

L4 Transporter

Hey

why PA doesnt do SSL Decryption for this site: WeTransfer

i can see PA is recognizing it as this application: wetransfer

but ican see the original Go daddy ceritifcate in the browser windows, and in the PA logs i cannot see "decrypted" on this traffic why is this?

this is my decryption policy:

------------------------------------------------------------------------------------------------------------------------------------------------------------------

admin@PA-500# show rulebase decryption rules

rules {

  "no Decrypt" {

    category any;

    type {

      ssl-forward-proxy;

    }

    from trust;

    to untrust;

    source any;

    destination Hilan3-192.168.210.154;

    source-user any;

    negate-source no;

    negate-destination no;

    action no-decrypt;

    disabled no;

  }

  Decrypt {

    category any;

    type {

      ssl-forward-proxy;

    }

    from trust;

    to untrust;

    source any;

    destination any;

    source-user any;

    negate-source no;

    negate-destination no;

    action decrypt;

    disabled no;

  }

}

this is one of the session opened to the IP

------------------------------------------------------------------------------------------------------------------------------------------------------------------

admin@PA-500> show session id 21323

Session           21323

        c2s flow:

                source:      192.168.1.149 [trust]

                dst:         173.241.240.180

                proto:       6

                sport:       52891           dport:      443

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      173.241.240.180 [untrust]

                dst:         192.168.1.149

                proto:       6

                sport:       443             dport:      52891

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Wed Jun 26 13:34:22 2013

        timeout                       : 30 sec

        time to live                  : 19 sec

        total byte count(c2s)         : 1792

        total byte count(s2c)         : 4725

        layer7 packet count(c2s)      : 9

        layer7 packet count(s2c)      : 10

        vsys                          : vsys1

        application                   : wetransfer

        rule                          : rule1

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        layer7 processing             : completed

        URL filtering enabled         : True

        URL category                  : online-personal-storage

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)

        session tracker stage l7proc  : ctd err bypass

admin@PA-500>

6 REPLIES 6

L4 Transporter

With my configuration, too. It isn't decrypted...

any idea why?

Just tried it again with Chrome. Our own certificate was used but at the logs still encrypted....try it also with chrome...

yes with chrome it is beeing decrypted by the certificate that i see in browser

but i can see different logs when accessing the website using chrome and using explorer

Contact the PaloAlto support. They should be able to fix it. I guess the application is the issue... We had similar problems with youtube...

It doesnt seem to be part of the internal whitelist at least:

Also it seems to be hosted by amazon in case that somehow affects this "bug" (or whatever it is thats happening to you):

https://www.ssllabs.com/ssltest/analyze.html?d=www.wetransfer.com

PA devices have had problems with TLS in the past... even if SSL 3.0 is supported the only support ciphersuits are TLS-based:

https://www.ssllabs.com/ssltest/analyze.html?d=www.wetransfer.com&s=176.34.236.232

Cipher Suites (sorted by strength; the server has no preference)

TLS_RSA_WITH_RC4_128_MD5 (0x4)     128

TLS_RSA_WITH_RC4_128_SHA (0x5)     128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)     128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)     168

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)     256

  • 3368 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!