ssl inbound inspection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ssl inbound inspection

L4 Transporter

Hi community,

 

Will PA support inbound ispection if key exchnge mechanism is DHE/ECDHE ?.

i hope PA wont be proxying inbound SSL connection. whether PA changed this behaviour from any versions?

is there is a way to configure PA as proxy( we have server certificate/key installed in PA, only issue is PA resources. So if my website traffic is usually less, will i able to do proxying ?)

what if i need to do inbound decryption for servers using DHE ?

is it nessossary to change the behaviour in server that to use only RSA as key exchange ?

1 accepted solution

Accepted Solutions

Hi @gwesson ,  Thanks.

 

I found the issue, as i was running PanOS 8.0.13, PA should be doing proxy,

The issue was, the web server was on windows 2016 and the default elliptic curve it was using was 25519, which i hope currently not supported by PA. post disabling/changing priority of curve, i am able to do inbound inspection successfully.

View solution in original post

11 REPLIES 11

L7 Applicator

Starting with PAN-OS 8.0, it supports inbound with DHE/ECDHE. See this in the new features guide: 8.0 Inbound PFS

It is proxying the TLS traffic. That is the only way to decrypt DHE/ECDHE, since (by design of the exchange mechanism) it cannot be decrypted passively even with the private key.

Thanks gwesson
I am running 8.0.13 in my device, still i am getting decryption error. If PA is working as proxy, we should not get any unsupported parameter error as PA will be involved in selecting ciphersuit. I feel PA still trying to do decryption passively as i am getting parameter error, which contradicting PA document. do i need to enable it anywere? (i already selected all options in ssl protocole section). I understand if DHE is the key exchange, PA wont be able to see key as key is not shared as such, but end systems generate it with value exchange and math operations, PA should be proxy in this situation which is there in doc. Do i have an option to manually enable proxying?

If PA is working as proxy, we should not get any unsupported parameter error as PA will be involved in selecting ciphersuit. 

 

Not quite right. The firewall supports a specific subset of ciphers, and if your client is only presenting non-matching ciphers you'll fail to establish the connection. The full list is here, with the ECDHE and DHE on the bottom:

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

 

You don't need to manually enable proxying, it's always a proxy. Starting in 8.0, both inbound and outbound is acting as a proxy.

 

I didn't see any specific error message in your original post, so I don't know what "parameter error" you're referring to, but the ciphers is typically the easiest to confirm. 

 

If your site is public, you can use Qualys SSL scaner or even nmap to see what ciphers are supported.

Hi gwesson, appreciate your kind support.

without inbound decryption, client and server was aggying on TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, which is supported in PanOS 8.0 ,

i am able to brows the website if i do a forward proxy( configured forward proxy from one internet ip to webserver for testing eventhough it is not the use of forward proxy), means there is atleast one matching ciphersuit in between client-PA and PA-server.

So i feel if PA was doing a inbound as a proxy as in the document, i wont face any issue. is there any known bug or something, which solved in later versions ?

 

 

The following is the error PA sends to both server and client once he recieves server hello packet,

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)

A handshake failure is unfortunately very generic and doesn't explain *why* there was an error, just that there *was* an error. It's the nature of the encryption so there's not much you can typically learn from just that.

 

You'll likely want to open a support ticket, as there may be more troubleshooting steps that can fork depending on some results. Generally, the times I see a handshake failure are:

 

- An unsupported cipher

- A blocked cipher (via the Decryption Profile)

- The server requires client certificate authentication

 

But beyond those three, you'll probably want some official support in troubleshooting it.

Thank gwesdon,
I really appreciate your help. I feel i am having little confution at how decryption profile works,
-what if PA finds that client and server agrees on a ciphersuit PA doest support, PA will put it no decrypt or block session ?(i didnt checke 'block unsupported ciphersuit' under ssl inbound.
-in my case if i select only 'DHE' in key echange, communication happens properly( i am not selected any blocking options under decryption profile inbound inspection) , is PA is actually decryptiong traffic?. Because in same profile if i just check 'block unsupported ciphersuit', communication fails. Which makes me feel like PA wont support on agreeying ciphersuit, and if that is the case PA wont be able to proxy and decrypt no?(but in Traffic field it shows decrypted), makes bit confusion about how this works.

Added to above all,

i found that server was sending hello packet with 'Master Secret Extension', 'ALPN' extentions enabled, upon checking some document, i am seeing 'Master Secret Extension' may cause decryption to break if proxied. is it the issue i am hitting on?

is this solved in any of new versions( i am running 8.0.13 currently).

 

i have seen that PA wont modify the client hello to allowed algorithms configured in decryption profile while i am doing ssl inbound inspection. But it does modify and delete unconfigured ciphersuits for forward proxy.. Is this intended behaviur ?..or is it a bug or MITM cannot modify hello if he is not doing proxy?.

 

Thanks in advance.

Hi @gwesson ,  Thanks.

 

I found the issue, as i was running PanOS 8.0.13, PA should be doing proxy,

The issue was, the web server was on windows 2016 and the default elliptic curve it was using was 25519, which i hope currently not supported by PA. post disabling/changing priority of curve, i am able to do inbound inspection successfully.

I am also facing SSL in bound decryption error . In Packet capture ''named Curve : x25519 is showing . When i have asked with Server team they are using default cipher suit in their windows server 2016 . Its mean default setting is using 25519 curve ? its need to be disabled from server end ? 

 

Right now any work around in Palo alto ? 

Hi @NetworkSupport1Link 

Looks like the issue is not addressed yet. What if you disable thee curve 25519 ? is it working ?. You can add 25519 as last in the sequence.

https://docs.microsoft.com/en-us/powershell/module/tls/disable-tlsecccurve?view=win10-ps

You may find the supported ECC curve in the below link.

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

 

As of now 25519 is not supported and by default it is enabled in Windows 2016.

 

You may disable it in the server by using the below command.

 

https://docs.microsoft.com/en-us/powershell/module/tls/disable-tlsecccurve?view=windowsserver2016-ps

 

 

  • 1 accepted solution
  • 10558 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!