Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-25-2015 06:11 AM
Hello,
I try to configure nginx 1.6.2 (on linux ubuntu server 14.04 LTS) with fully support SSL Inbound decryption.
We're running PAN-OS 6.0.9.
Based on the document Inbound SSL Decryption Not Working Due to Unsupported Cipher Suites, I configure this on my nginx.conf:
ssl_ciphers "AES256-SHA256:AES128-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES256-SHA:AES128-SHA
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
But, PAN-OS not decrypt traffic.
Can you help me ?
Tnx
Carlo
04-28-2015 06:03 AM
Hi ctovazzi,
Can you let a pcap run on the client machine, locate the cipher suite chosen from the server hello packet and paste it here?
Say for example -
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
And also output of command,
>show counter global | match proxy
Thank You.
04-28-2015 09:14 AM
Hi prb,
I run pcap on the client machine.
On pcap, I find this (from my client to server):
HandShake protocol: Client Hello
Version: TLS 1.2
Cipher Suites (21 suites):
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
and this (from server to client after Client Hello Hadshake protocol)
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Carlo
04-29-2015 06:04 AM
Just to verify
The traffic is going from one zone to another or alternatively between two different interfaces of the same zone on the firewall
There is a security policy in place to allow the traffic to flow
The certificate and private key for the nginx set have been installed on the PA
There is a decryption policy set for SSL Inbound Inspection
Is the client connecting to the server IP or the NAT address for the server?
If you could provide more detail about your configuration, that would help to troubleshoot
04-29-2015 12:08 PM
Hi ctovazzi,
From the logs, issue is not with unsupported cipher suite.
You should verify configuration as requested by costello.
If everything is fine, you can check counters to narrow down further.
>show counter global | match proxy
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
