SSL Inbound Decryption Failing
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Inbound Decryption Failing

L1 Bithead

hello, we are setting up SSL Inspection for inbound traffic but it is failing when clients try to access, we are getting unsupported protocol errors.  ssl labs shows the following issues around handshaking.

 

RyanJohnstone1144_0-1612884336341.png

 

with SSL Inspection off we do not see these errors

 

RyanJohnstone1144_1-1612884421679.png

 

can anyone advise what we can do to address this?  we are running PAN OS 9.0

 

Thanks

 

Ryan

2 REPLIES 2

Cyber Elite
Cyber Elite

@RyanJohnstone1144,

Mismatched or unsupported ciphers are the cause of 99.9% of these issues. Verify that all of the ciphers used by the server are actually supported by the firewall and that only supported ciphers are being utilized. If you have ciphers checked on your decryption profile that the server doesn't support, or ciphers on the server that the firewall doesn't support, it's not able to proxy that connection properly. 

Thanks for the reply.

 

looks like issue is to do with EC x25519 being used by our server.  i see this is supported on PAN OS 10 with TLS1.3 and is NIST approved.

 

Do you know if support for this will be added to PAN OS 9.0?  i am reluctant to ask our server team to disable x25519 across our server estate or move up to 10.0 at this current time.

 

Thanks

 

Ryan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!