This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Unsupported cipher. Supported client cipher bitmask: 0x00000000

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unsupported cipher. Supported client cipher bitmask: 0x00000000

Moritz
L2 Linker

‎01-04-2022 12:27 PM

Hi,

have a decryption policies for inbound ssl decryption to a webpage. Therefor I have included the private Certificate.

At decryption monitor there is a message:

( error eq 'Unsupported cipher. Supported client cipher bitmask: 0x00000000. Supported decrypt profile cipher bitmask: 0x00000014.' )

 

Found this link https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry... but my bitmask is 0x00 ?

 

How can I fix it? I chose the strict ssl control decryption profile but no help.

 

 

4 REPLIES 4

kiwi
Community Team Member

‎01-05-2022 06:47 AM

Hi @Moritz ,

 

Supported cipher suites will vary depending on your PAN-OS version.  What's your current version and how is your decryption profile configured ?

 

As an example, some earlier PAN-OS versions only supported DHE or ECDHE for SSL Forward Proxy (it wasn't not supported for Inbound Inspection). 

 

You might want to do some more debugging and check on which cipher suite client/server agree upon in the SSL handshake and compare that to the compatibility matrix to see if it's actually supported:

 

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites.html

 

Hope it helps

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
(1)

Moritz
L2 Linker

‎01-05-2022 09:02 AM

Hi @kiwi ,

 

I have a PA220 with PANOS 10.0.8.
As Decryption profile I tested none, default and Strict SSL:

Moritz_0-1641402005330.png

 

How can I debug this. Trace a request and look into the SSL header? Have not done anything like this before. No experience with it.

 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎01-05-2022 11:20 AM

@Moritz,

You need to look at the supported cipher suite document that @kiwi linked and pass that along to the person running your web server or load balancer. The website and the firewall need to have the same ciphers enabled so that the firewall can actually proxy the traffic. There's not a magic solution to this one, you need to work with your web admin. 

0 Likes Likes

kiwi
Community Team Member

‎01-06-2022 01:30 AM

Hi @Moritz ,

 

What @BPry said 🙂 !

 

My guess is that the web server offers a cipher suite that the PA doesn't support.  If you can run a PCAP you should be able to capture the SSL handshake and get information on the cipher suite being used.

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes
  • 3682 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks