SSL Inspection and SSL Labs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Inspection and SSL Labs

Cyber Elite
Cyber Elite

Outside of minimum and maximum supported tls versions and ciphers what are some things to look for on SSL Labs that would be breaking decryption. In the Palo decryption logs if it shows error "Early close notify" what would be something to look for as the root cause?

7 REPLIES 7

Cyber Elite
Cyber Elite

Are you having issues with ssl decryption if users access the site?

SSL Labs by design will try different cipher settings and tests site security posture so seeing logs about failed connections in firewall logs is expected when those tests are performed.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yeah site is breaking for users when ssl inspection is applied, I can bypass that url from decryption and it works fine then. Saw the decryption logs showed "early close notify" then ran an SSL Labs check after the fact to see if anything stuck out.

Cyber Elite
Cyber Elite

Is this related to decrypting user traffic to website hosted somewhere in internet or you host web server and trying to set up ssl decryption for traffic from internet towards your web server?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Forward proxy for internet traffic. Just curious what "early close notify" indicates or if there is anything to look for on the SSL Labs report that would indicate why its breaking.

Cyber Elite
Cyber Elite

Hi @Claw4609 ,

 

I agree with you.  It would be nice if PANW had an index of decryption errors.  I found this -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry... but an index of every error and cause would be nice.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Claw4609, I have recently just started to see a ton of early close notify Protocol errors on our PA's for and it seems to have just started. Some of the sites are well known sites with a fully trusted chains such as youtube.com and connectivitycheck.gstatic.com.
Is that what you are seeing?

Not necessarily on those sites specifically but we are seeing it on some notable sites.

  • 3816 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!