SSL Expired Cert and SSL decryption

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
Cyber Elite

SSL Expired Cert and SSL decryption

 

We have vendor site which we access.

Recently their SSL cert expired and when I try to access that website chrome shows cert is invalid and still in brower it shows

it is decrypting the website and i can see the PA cert there.

 

Traffic log shows isession end reason was policy deny?

 

Why PA shows cert as invalid or non trusted when vendor ssl cert is expired?

How does PA know that vendor ssl cert is expired?

MP
Highlighted
Community Team Member

Hi @MP18 ,

 

You probably do not block sessions with expired certificates as shown in the image below :

 

 

ssl-forward-proxy-best-practice-81.png

 

Block sessions with expired certificates—Always check this box to block sessions with servers that have expired certificates and prevent access to potentially insecure sites. If you don’t check this box, users can connect with and transact with potentially malicious sites and see warning messages when they attempt to connect, but the connection is not prevented.

 

For forward SSL Proxy, the validity date on the Palo Alto Networks firewall generated certificate is taken from the validity date on the real server certificate.  (SSL FORWARD PROXY).

 

Cheers !

-Kiwi.

Highlighted
Cyber Elite

@MP18,

The firewall will decrypt all of the traffic regardless of certificate status, but it will utilize the 'Forward untrust Certificate' instead of the 'Forward Trust Certificate'. If it's denying the traffic it means that your decryption profile likely has the 'Block sessions with expired certificates' checked. 

 

Why PA shows cert as invalid or non trusted when vendor ssl cert is expired?

Because if a certificate is expired it is no longer trusted, even though it was issued by a trusted issuer.

 

How does PA know that vendor ssl cert is expired?

When proxying the connection the firewall reads the certificate of the website to issue a certificate for the site on the fly, so your clients actually trust the connection.

Highlighted
Cyber Elite

For decryption Profile 

 

Block expired certs is unchecked then also my session was blocked

 

 

MP
Highlighted
Cyber Elite

For decryption Profile 

 

Block expired certs is unchecked then also my session was blocked?

 

MP
Highlighted
L7 Applicator

Is it actually being blocked and you're getting a firewall block page?

Or are you saying that your browser shows the certificate as expired even though the firewall is decrypting it?

 

If it's the latter, that is expected. The firewall copies values from the server's certificate to create the decryption certificate. It takes the Subject and the Validity Period values, so if the server's cert or common name/sni are "bad" then the decrypted version will be "bad" as well.

Cyber Elite

I am  saying that my browser shows the certificate as expired even though the firewall is decrypting it-- yes

 

Traffic log shows session end reason as policy deny

 

So if traffic log shows policy deny then it is normal behaviour right?

MP
Highlighted
L7 Applicator

I apologize, I completely missed that in your original post. 

 

No, if you see policy deny, then that session was definitely denied. What is the user experience when this happens? Can the site be browsed as normal if you proceed past the certificate warning? If you can browse normally then the denied session is likely not all that important.

 

I hate leaving something like that unknown, but it all depends on how much time you want to put into research if the user experience is fine.

Highlighted
Cyber Elite

No user were unable to go beyond the cert warning page.

There was no option to click  on proceed further.

 

During that time i did pcap on PA it shows no drops.

I see fw,tx and re stages.

 

Anything i should check in pcaps?

 

MP
Highlighted
L7 Applicator

There are some debugs, but they can be dangerous to turn on because of the volume of logs it generates (flow basic + proxy basic). I highly recommend opening a case with support to go through the policy and config to see if they can help with a review of your system before diving in to the debugs.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!