SSL inspection decrypt error from some client

Reply
Highlighted
L1 Bithead

SSL inspection decrypt error from some client

Hello to all,

 

We have a linux website that we made working with inbound ssl inspection by disabling curve25519 / x25519.

Some clients report errors ( always showing as decrypt errors on the monitoring) accessing the site: by taking a networrk trace on the firewall side it seems like all the client are trying to negotiate TLS V1.

If I try with the same combination of browser (Edge legacy and cromium version) and S.O (windows 10 1903) I am able to reach the sites and in the trace i see that the correct version (TLS 1.3) is negotiated between the client and the palo alto.

Off course if I disable the inspectio all goes fine. Anyone have any hints or suggestion?

 

thanks

 

 

Tags (2)
Highlighted
Cyber Elite

Hello,

The client needs to trust the certificate. I would say use a public certificate and or have the client install the root cert that is being used.

 

Regards,

Highlighted
Cyber Elite

@adalfarra,

Do you have TLS1.0 enabled on your inbound decryption profile? Best practice would be that this would be disabled if it isn't required, which would cause your decryption issues. 

Highlighted
L1 Bithead

@BPry 

the profile only permits TLS 1.2 and above, also the certificate is public

thanks

Cyber Elite

@adalfarra,

So the one thing to keep in mind here is that clients don't have to support set versions of TLS. You could easily be seeing scanning traffic that is only using TLS 1.0 or TLS1.1. You've verified that the site in question works correctly when you access the connection with TLS1.2+ enabled, so now the real question is why the client isn't at least supporting TLS1.2+?

This is where you kind of have to work with someone reporting the issue to see if their browser and computer are actually setup to utilize TLS1.2. If they are not, you essentially can only ask anyone running into the issue to migrate to allowing TLS1.2 or modify your profile to allow TLS1.0 and TLS1.1. Personally I would be telling the client they need to support current security standards, but that may not work with your organization. 

Highlighted
L1 Bithead

@BPry 

 

The client combination is edge and explorer on windows above version 1903.

The site without the inspection only offers TLS1.2 and above and is  working fine. The problem for me occurs only when we activate the inbound inspection at the palo alto side

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!