- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-06-2023 08:36 AM
Outside of minimum and maximum supported tls versions and ciphers what are some things to look for on SSL Labs that would be breaking decryption. In the Palo decryption logs if it shows error "Early close notify" what would be something to look for as the root cause?
06-06-2023 09:12 AM
Are you having issues with ssl decryption if users access the site?
SSL Labs by design will try different cipher settings and tests site security posture so seeing logs about failed connections in firewall logs is expected when those tests are performed.
06-06-2023 09:42 AM
Yeah site is breaking for users when ssl inspection is applied, I can bypass that url from decryption and it works fine then. Saw the decryption logs showed "early close notify" then ran an SSL Labs check after the fact to see if anything stuck out.
06-06-2023 10:32 AM
Is this related to decrypting user traffic to website hosted somewhere in internet or you host web server and trying to set up ssl decryption for traffic from internet towards your web server?
06-06-2023 11:01 AM
Forward proxy for internet traffic. Just curious what "early close notify" indicates or if there is anything to look for on the SSL Labs report that would indicate why its breaking.
06-06-2023 01:04 PM
Hi @Claw4609 ,
I agree with you. It would be nice if PANW had an index of decryption errors. I found this -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry... but an index of every error and cause would be nice.
Thanks,
Tom
06-09-2023 02:50 PM
Claw4609, I have recently just started to see a ton of early close notify Protocol errors on our PA's for and it seems to have just started. Some of the sites are well known sites with a fully trusted chains such as youtube.com and connectivitycheck.gstatic.com.
Is that what you are seeing?
06-10-2023 03:11 PM
Not necessarily on those sites specifically but we are seeing it on some notable sites.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!