SSL Decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption

L1 Bithead

Hi All, I have an issue with SSL decryption and using the inbuilt CA. What appears to happen is that various parts of SSL websites don't trust the CA on the palo alto and as a consequence sites do not load fully and report various certificate issues.

This is what https facebook looks like:

Screen Shot 2012-07-24 at 8.59.24 AM.png

The corresponding browser complaints:

Screen Shot 2012-07-25 at 3.27.39 PM.png

I'm running the very latest OS 4.1.6 but I was running 4.1.3 and this problem was evident then as well. I've tried uploading a trusted certificate from rapidssl and I don't get the option to select that is a valid certificate for a forward SSL proxy which is understandable as I don't have a key.

So I'm obviously doing something wrong - whats the accepted procedure to get this up and running?

Thanks in advance for your help

6 REPLIES 6

L3 Networker

Hi mgillette

In the pictures one can't see the presented certificates, but I think I had a sminilar problem and couldn't find a proper document, so I created my own.

The config guide attached works for me, maybe it works for you as well.

Andre

Hi Andre,

Firstly thanks for the config guide, but unfortunately it doesn't work for me in my scenario. We don't use AD or windows so I can't push out certificates using GPO. We are linux/Mac based and rely on users clicking the right option when their browser prompts them to accept a certificate. In the facebook case above the browser does not load the s-static.ak.fbcdn.net certificate. I need to manually load this into the browser on my test machine for https facebook to work.

I have tried other SSL sites, (gmail,hotmail,yahoo) these exhibit the same issue where the site doesn't trust the CA on the palo alto and doesn't load some certificates. This causes various parts of these sites to break.

Hi

I don't run WIndows either, pure Mac based environment 🙂

Yes, you have to import the forward-trust CA certificate into the client browsers, there is no way around it. If you do so, all runs smoothly even on a Mac.

If you go with two vert CAs (like in my guide), import both CAs into the clients browser

And don't forget to use a forward-untrust vert (do NOT import it). Doing so should allow you to see the certificate chain of both working and not working SSL Sites.

What I don't get: You say the Website does'n trust the Palo Alto CA? What do you mean by this? The PA behaves like a normal client to the original server, so it doesn't use any (of it's own) certificates.

Andre

Ok so here's what I've done. Downloaded the forward_trust CA and imported that into the keychain on an OS X machine. Fire up safari and go to ssl facebook. The browser complains that the identity of www.facebook.com can't be identified and asks me what to do. I click continue. Nothing appears to have changed from my first post and the safari activity window reports that the certificate for s-static.ak.fbcdn.net is invalid because the certificate issuer can't be identified.

Various other parts of SSL websites also break in this manner - hotmail,yahoo and gmail all report at some point that a certificate is invalid.

This is the screenshot of the certificates page

Screen Shot 2012-07-30 at 9.35.54 PM.png

And a screenshot of the decryption settings

Screen Shot 2012-07-30 at 9.36.59 PM.png

Looks good so far

you need to import the forward_trust and the root_ca into Mac OS-X.

Also: is the forward_trust signed by the root_ca?

Can you send a screenshot of the https certificate chain when calling the facebook site?

Andre

were you ever able to resolve this issue? I am having the exact same problem

  • 6450 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!