This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL inspection decrypt error from some client

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL inspection decrypt error from some client

adalfarra
L1 Bithead

‎07-06-2020 12:33 AM

Hello to all,

 

We have a linux website that we made working with inbound ssl inspection by disabling curve25519 / x25519.

Some clients report errors ( always showing as decrypt errors on the monitoring) accessing the site: by taking a networrk trace on the firewall side it seems like all the client are trying to negotiate TLS V1.

If I try with the same combination of browser (Edge legacy and cromium version) and S.O (windows 10 1903) I am able to reach the sites and in the trace i see that the correct version (TLS 1.3) is negotiated between the client and the palo alto.

Off course if I disable the inspectio all goes fine. Anyone have any hints or suggestion?

 

thanks

 

 

0 Likes Likes
5 REPLIES 5

OtakarKlier
Cyber Elite
Cyber Elite

‎07-06-2020 01:42 PM

Hello,

The client needs to trust the certificate. I would say use a public certificate and or have the client install the root cert that is being used.

 

Regards,

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎07-06-2020 07:45 PM

@adalfarra,

Do you have TLS1.0 enabled on your inbound decryption profile? Best practice would be that this would be disabled if it isn't required, which would cause your decryption issues. 

0 Likes Likes

adalfarra
L1 Bithead
In response to BPry

‎07-06-2020 09:05 PM

@BPry 

the profile only permits TLS 1.2 and above, also the certificate is public

thanks

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to adalfarra

‎07-07-2020 07:21 AM

@adalfarra,

So the one thing to keep in mind here is that clients don't have to support set versions of TLS. You could easily be seeing scanning traffic that is only using TLS 1.0 or TLS1.1. You've verified that the site in question works correctly when you access the connection with TLS1.2+ enabled, so now the real question is why the client isn't at least supporting TLS1.2+?

This is where you kind of have to work with someone reporting the issue to see if their browser and computer are actually setup to utilize TLS1.2. If they are not, you essentially can only ask anyone running into the issue to migrate to allowing TLS1.2 or modify your profile to allow TLS1.0 and TLS1.1. Personally I would be telling the client they need to support current security standards, but that may not work with your organization. 

0 Likes Likes

adalfarra
L1 Bithead
In response to BPry

‎07-07-2020 08:19 AM

@BPry 

 

The client combination is edge and explorer on windows above version 1903.

The site without the inspection only offers TLS1.2 and above and is  working fine. The problem for me occurs only when we activate the inbound inspection at the palo alto side

0 Likes Likes
  • 4205 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks