This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL Decryption

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption

SERMA-NES
L2 Linker

‎07-10-2017 08:38 AM

Hello,

 

I have a PA-VM running on a ESX server.

I want to set up SSL Decryption on it using a SUBCA certificate chain signed by a PKI (windows server).

I check boxes "Forward to trust/untrusted certifcate"

I export the SUBCA to store it on a client machine (to avoid warning message)

The network is OK

The policy is Any any permit

The SSL decryption policy is set up to decrypt everything

 

The main issue is the Following :

On the client machine, I not allowed to reach any website using HTTPS, the brower is telling me that the connection has been reset... whatever the browser (chrome, IE etc)

 

I can't find anything to solve my issue...

 

Thanks in advance

Regards

0 Likes Likes
19 REPLIES 19

BPry
Cyber Elite
Cyber Elite

‎07-10-2017 09:22 AM

It doesn't sound like SSL decryption was setup properly. Did you follow any of the guides when you were setting this up? Generally you should at least be getting a message about the certificate not being trusted. I would personally delete the setup that you have currently and follow the guide found here to verify that everything is setup correctly. 

 

https://live.paloaltonetworks.com/t5/Tutorials/How-to-Configure-SSL-Decryption/ta-p/65073#TopicC

0 Likes Likes

TranceforLife
L6 Presenter

‎07-10-2017 09:23 AM

The traffic logs session end reason? What can you see there?

0 Likes Likes

SERMA-NES
L2 Linker

‎07-11-2017 06:10 AM

Thanks for your answers.

 

I followed several guides to set up SSL Decryption (including the one you provide).

 

192.168.116.191 is the internal IP (default gateway of the users)

 

I configure it again, using self certifcate, the problem is still there...

 

V1.pngV2.pngV3.pngV4.pngV5.pngV6.png

0 Likes Likes

TranceforLife
L6 Presenter
In response to SERMA-NES

‎07-11-2017 06:32 AM

Hi,

 

try to open VMware website:

 

https://www.vmware.com

 

Most likely it is all due to HTTP Public Key Pinning:

 

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

 

https://androidtechieblog.wordpress.com/2016/07/21/ssl-pinning-to-prevent-a-man-in-the-middle-mitm-a...

 

 

0 Likes Likes

SERMA-NES
L2 Linker
In response to TranceforLife

‎07-11-2017 06:57 AM

I can't access to https://www.vmware.com too 😞

 

For your information, I try to set up SSL Decryption on a new PA-820 PANOS8.0, with the same configuration, the problem is the same...

 

What should I do to make it functionnal ?

0 Likes Likes

TranceforLife
L6 Presenter
In response to SERMA-NES

‎07-11-2017 07:08 AM

Did you actually click on the "confirm security exception" button?

0 Likes Likes

SERMA-NES
L2 Linker
In response to TranceforLife

‎07-11-2017 07:14 AM

Yes I did 🙂

 

I very surprised about this issue... the configuration is pretty simple but the troubleshooting is not so easy

0 Likes Likes

TranceforLife
L6 Presenter
In response to SERMA-NES

‎07-11-2017 07:16 AM

Yeah, the only one thing l have different is on my SSL self gen cert l have  CN as a name,  not ip. Can you test with self-signed certs? 

0 Likes Likes

SERMA-NES
L2 Linker
In response to TranceforLife

‎07-11-2017 07:28 AM

Yeah I have tested with self signed certificate, please refer to my previous post (screenshots have been posted)

 

CN or IP doesn't matter... right ?

0 Likes Likes

TranceforLife
L6 Presenter
In response to SERMA-NES

‎07-11-2017 07:29 AM - edited ‎07-11-2017 07:49 AM

Ohh, blind me :D. Should not really in our case. 

 

EDIT: FYI

 

FYI.PNG

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎07-11-2017 07:52 AM

@SERMA-NES,

Stupid question but did you actually import the cert onto the local machine, it doesn't look like you did and if you are utilizing a self sign then you need to accept the cert that you are using to actively decrypt the traffic. From your provided screenshots it doesn't look like this is actually done which would cause a hole heap of security errors from pretty much any browser. 

0 Likes Likes

SERMA-NES
L2 Linker
In response to BPry

‎07-11-2017 08:17 AM

I didn't import it during my first screenshots, but I did it after, the problem is still here.

With the certificat in the client's store, I don't have anymore warnings from the browser, but directly the "reset" message.

 

I have the same certificate when I try to reach VMWARE website : 

 

V7.png

0 Likes Likes

TranceforLife
L6 Presenter
In response to SERMA-NES

‎07-11-2017 08:19 AM

Miracle. What can you see in the traffic logs (session-end reason)?

0 Likes Likes

SERMA-NES
L2 Linker
In response to TranceforLife

‎07-12-2017 02:33 AM

hello,

 

tcp reset from client...

 

I downgrade PANOS to 7.1.0 and now, the browser try to reach the website (perpetualy) but this time without Reset message

0 Likes Likes
  • 7327 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks