Hello to all,
We have a linux website that we made working with inbound ssl inspection by disabling curve25519 / x25519.
Some clients report errors ( always showing as decrypt errors on the monitoring) accessing the site: by taking a networrk trace on the firewall side it seems like all the client are trying to negotiate TLS V1.
If I try with the same combination of browser (Edge legacy and cromium version) and S.O (windows 10 1903) I am able to reach the sites and in the trace i see that the correct version (TLS 1.3) is negotiated between the client and the palo alto.
Off course if I disable the inspectio all goes fine. Anyone have any hints or suggestion?
So the one thing to keep in mind here is that clients don't have to support set versions of TLS. You could easily be seeing scanning traffic that is only using TLS 1.0 or TLS1.1. You've verified that the site in question works correctly when you access the connection with TLS1.2+ enabled, so now the real question is why the client isn't at least supporting TLS1.2+?
This is where you kind of have to work with someone reporting the issue to see if their browser and computer are actually setup to utilize TLS1.2. If they are not, you essentially can only ask anyone running into the issue to migrate to allowing TLS1.2 or modify your profile to allow TLS1.0 and TLS1.1. Personally I would be telling the client they need to support current security standards, but that may not work with your organization.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!