This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
SSL Inbound decryption woes
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- SSL Inbound decryption woes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
SSL Inbound decryption woes
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-08-2013 12:10 PM
Hi there,
we just configured our first SSL Inbound decryption, but we have some trouble and need help troubleshooting it.
Very simple setup:
Webserver in DMZ zone
Firewall policy: from:untrust to:dmz; src:any; dst:webserver; app:ssl,web-browsing; service:service-http(s); action:allow
Decryption policy: from:untrust to:dmz; src:any; dst:webserver; action:decrypt
The webserver's certifictate and key have been imported to the firewall.
Accessing the webserver from an external PC: Traffic gets decrypted perfectly.
Accessing the webserver from an iPhone and from and Android device: Traffic is *not* being decrypted.
In all cases the source IPs were completely random and are not subject to any firewall rule. This is reproducible and I tried to find out why it would decrypt in one case but not in another.
Any ideas? Is there a way I can troubleshoot this other than looking at the traffic logs, which don't contain any helpful information?
Thanks
Labels:
- Labels:
-
Set Up
-
Troubleshooting
21 REPLIES 21
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-09-2013 11:02 AM
I guess it's time to open a case with PAN support.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-09-2013 11:03 AM
I've got two pcaps open right now, and it looks like the difference between the two of them is the TLS version that was negotiated.
The pcap I captured of a session where decrypt seems to work has TLSv1. The pcap of the session where decrypt did NOT appear to work negotiated TLSv1.2.
Can somebody else confirm what I'm seeing?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-09-2013 11:04 AM
We're opening a case too.. we can reference your case (and vice-versa) if you'd like, maybe it'll get some more traction that way.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-09-2013 11:05 AM
Thanks. Will do and post the case number here.
Related Content
- reverse proxy key 'abc.com' doesn't match certificate issued to 'abc.com' in General Topics
- User insertion fail with keep alive header enable in Next-Generation Firewall Discussions
- Vulnerability Protection profile alters APP-ID behavior in General Topics
- AWS and Inbound SSL Inspection in VM-Series in the Public Cloud
- ssl-inbound inspection problem in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks