SSL error with GlobalProtect portal and Firefox 27.0.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL error with GlobalProtect portal and Firefox 27.0.1

L2 Linker

Hi,

I have been setting up the GlobalProtect VPN infrastructure for our new PA 3020. Until recently, the GlobalProtect Portal was just fine, but now, with the latest Firefox update 27.0.1, I can't access the client download page with Firefox anymore. I get the error message below. I have verified with serveral different systems that with older (e.g. 26.0) versions of Firefox it works just fine. Anyone else noticed this? Can this be fixed in any way in PA configuration, or do I just need to wait for a fix for Firefox?

-Petteri

1 accepted solution

Accepted Solutions

L3 Networker

can you verify what the Max TLS version is in browser config and try lowering the version. If it is 3 , try changing it to 2 and see if that fix the issue To verify and change version:  In firefox url address bar type about:config and then search for security.tls.version.max,modify the value . Close all browser windows and reopen. See if that fix the issue 

View solution in original post

9 REPLIES 9

L7 Applicator

See if clearing the site cookies works for this issue. 

SSL Decryption Stops Working on Firefox Browser After Changing SSL Decryption Certificate

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Clering cookies did not help with the issue.

if you can;

Could you please generate a new certificate for GP and see if it is fixed

L3 Networker

can you verify what the Max TLS version is in browser config and try lowering the version. If it is 3 , try changing it to 2 and see if that fix the issue To verify and change version:  In firefox url address bar type about:config and then search for security.tls.version.max,modify the value . Close all browser windows and reopen. See if that fix the issue 

I'm using polish version of FF 27.0.1 and I logged into GP portal without any issues.

I'm using StartSSL SSL certyfiacte for GP portal.

Regards

Slawek

L2 Linker

Hi, this is solved now. Few important pieces of imformation were missing from my original post that I think somehow affect to this. First, I have both the portal and the gateway running in the same public IP address. Second, I also use client certificate profiles for both the portal and the gateway.

What I did now was that I disabled the client cert profiles for both the client and gateway, and committed the change. After that I was able to login to portal with the latest firefox. Then I enabled the client certificate profile only for the portal, and tried to login. At this point, I got the "Valid client certificate is required", which is kind of weird as I do have the correct client certificate available in the Firefox's certificate store. But, then I enabled the same client certificate profile also for the gateway, and now I'm able to login.

So, the configuration is now identical to the original one - I merely disabled the client certificate profiles for the portal and gateway, and then enabled them back.

I guess one teaching is that if the portal and gateway are running on the same IP address, the same client certificate profiles have to used for both. In the guide it's mentioned that if the IP address is shared between the portal and gateway, the same server SSL sertificate has to be used for both. But I didn't find any notes about a need to use also the same client certificate profiles.

-Petteri

L2 Linker

Well, it seems that I was too quick in my conclusions. After restarting Firefox, the same problem resurfaced. But anyway, now I know it's definitely about client certificates, becuase disabling makes it possible to use the portal page with the latest Firefox as well. I'll continue by checking the proposals above.

Lowering the TLS version in Firefox seems to have done the trick. Now Firefox prompts for client certificate, as expected:

Is there anything I can do find out if this is a:

a) bug in Firefox

b) bug in PanOS 6.0.0

c) something being wrong with my setup or certificates

-Petteri

L2 Linker

This seems to be fixed in Firefox 28.0.

  • 1 accepted solution
  • 8230 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!