- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-06-2020 12:33 AM
Hello to all,
We have a linux website that we made working with inbound ssl inspection by disabling curve25519 / x25519.
Some clients report errors ( always showing as decrypt errors on the monitoring) accessing the site: by taking a networrk trace on the firewall side it seems like all the client are trying to negotiate TLS V1.
If I try with the same combination of browser (Edge legacy and cromium version) and S.O (windows 10 1903) I am able to reach the sites and in the trace i see that the correct version (TLS 1.3) is negotiated between the client and the palo alto.
Off course if I disable the inspectio all goes fine. Anyone have any hints or suggestion?
thanks
07-06-2020 01:42 PM
Hello,
The client needs to trust the certificate. I would say use a public certificate and or have the client install the root cert that is being used.
Regards,
07-06-2020 07:45 PM
Do you have TLS1.0 enabled on your inbound decryption profile? Best practice would be that this would be disabled if it isn't required, which would cause your decryption issues.
07-07-2020 07:21 AM
So the one thing to keep in mind here is that clients don't have to support set versions of TLS. You could easily be seeing scanning traffic that is only using TLS 1.0 or TLS1.1. You've verified that the site in question works correctly when you access the connection with TLS1.2+ enabled, so now the real question is why the client isn't at least supporting TLS1.2+?
This is where you kind of have to work with someone reporting the issue to see if their browser and computer are actually setup to utilize TLS1.2. If they are not, you essentially can only ask anyone running into the issue to migrate to allowing TLS1.2 or modify your profile to allow TLS1.0 and TLS1.1. Personally I would be telling the client they need to support current security standards, but that may not work with your organization.
07-07-2020 08:19 AM
The client combination is edge and explorer on windows above version 1903.
The site without the inspection only offers TLS1.2 and above and is working fine. The problem for me occurs only when we activate the inbound inspection at the palo alto side
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!