SSL Inbound decryption and nginx webserver

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Inbound decryption and nginx webserver

L1 Bithead

Hello,

I try to configure nginx 1.6.2 (on linux ubuntu server 14.04 LTS) with fully support SSL Inbound decryption.

We're running PAN-OS 6.0.9.

Based on the document Inbound SSL Decryption Not Working Due to Unsupported Cipher Suites, I configure this on my nginx.conf:

ssl_ciphers "AES256-SHA256:AES128-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES256-SHA:AES128-SHA";

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

But, PAN-OS not decrypt traffic.

Can you help me ?

Tnx

Carlo

4 REPLIES 4

L3 Networker

Hi ctovazzi,

Can you let a pcap run on the client machine, locate the cipher suite chosen from the server hello packet and paste it here?

Say for example -

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

And also output of command,

>show counter global | match proxy

Thank You.

Hi prb,

I run pcap on the client machine.

On pcap, I find this (from my client to server):

HandShake protocol: Client Hello

Version: TLS 1.2

Cipher Suites (21 suites):

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)

Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)

Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)

Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)

Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

and this (from server to client after Client Hello Hadshake protocol)

TLSv1.2 Record Layer: Handshake Protocol: Server Hello

Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

Carlo

L2 Linker

Just to verify

The traffic is going from one zone to another or alternatively between two different interfaces of the same zone on the firewall

There is a security policy in place to allow the traffic to flow

The certificate and private key for the nginx set have been installed on the PA

There is a decryption policy set for SSL Inbound Inspection

Is the client connecting to the server IP or the NAT address for the server?

If you could provide more detail about your configuration, that would help to troubleshoot

James Costello
Global Solutions Architect, NGFW
Palo Alto Networks

Hi ctovazzi,

From the logs, issue is not with unsupported cipher suite.

You should verify configuration as requested by costello.

If everything is fine, you can check counters to narrow down further.

>show counter global | match proxy

  • 4066 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!