Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-04-2022 12:27 PM
Hi,
have a decryption policies for inbound ssl decryption to a webpage. Therefor I have included the private Certificate.
At decryption monitor there is a message:
( error eq 'Unsupported cipher. Supported client cipher bitmask: 0x00000000. Supported decrypt profile cipher bitmask: 0x00000014.' )
Found this link https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry... but my bitmask is 0x00 ?
How can I fix it? I chose the strict ssl control decryption profile but no help.
01-05-2022 06:47 AM
Hi @Moritz ,
Supported cipher suites will vary depending on your PAN-OS version. What's your current version and how is your decryption profile configured ?
As an example, some earlier PAN-OS versions only supported DHE or ECDHE for SSL Forward Proxy (it wasn't not supported for Inbound Inspection).
You might want to do some more debugging and check on which cipher suite client/server agree upon in the SSL handshake and compare that to the compatibility matrix to see if it's actually supported:
https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites.html
Hope it helps
-Kiwi.
01-05-2022 09:02 AM
Hi @kiwi ,
I have a PA220 with PANOS 10.0.8.
As Decryption profile I tested none, default and Strict SSL:
How can I debug this. Trace a request and look into the SSL header? Have not done anything like this before. No experience with it.
01-05-2022 11:20 AM
You need to look at the supported cipher suite document that @kiwi linked and pass that along to the person running your web server or load balancer. The website and the firewall need to have the same ciphers enabled so that the firewall can actually proxy the traffic. There's not a magic solution to this one, you need to work with your web admin.
01-06-2022 01:30 AM
Hi @Moritz ,
What @BPry said 🙂 !
My guess is that the web server offers a cipher suite that the PA doesn't support. If you can run a PCAP you should be able to capture the SSL handshake and get information on the cipher suite being used.
Hope this helps,
-Kiwi.
08-30-2024 08:57 PM
( error eq 'Unsupported cipher. Supported client cipher bitmask: 0x00000000. Supported decrypt profile cipher bitmask: 0x00000014.' )
According to the reference article linked below, the cipher bitmask: 0x00000000 means that the firewall doesn't support the cipher.
Reference: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
