Unsupported cipher. Supported client cipher bitmask: 0x00000000

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unsupported cipher. Supported client cipher bitmask: 0x00000000

L2 Linker

Hi,

have a decryption policies for inbound ssl decryption to a webpage. Therefor I have included the private Certificate.

At decryption monitor there is a message:

( error eq 'Unsupported cipher. Supported client cipher bitmask: 0x00000000. Supported decrypt profile cipher bitmask: 0x00000014.' )

 

Found this link https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decry... but my bitmask is 0x00 ?

 

How can I fix it? I chose the strict ssl control decryption profile but no help.

 

 

4 REPLIES 4

Community Team Member

Hi @Moritz ,

 

Supported cipher suites will vary depending on your PAN-OS version.  What's your current version and how is your decryption profile configured ?

 

As an example, some earlier PAN-OS versions only supported DHE or ECDHE for SSL Forward Proxy (it wasn't not supported for Inbound Inspection). 

 

You might want to do some more debugging and check on which cipher suite client/server agree upon in the SSL handshake and compare that to the compatibility matrix to see if it's actually supported:

 

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites.html

 

Hope it helps

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

L2 Linker

Hi @kiwi ,

 

I have a PA220 with PANOS 10.0.8.
As Decryption profile I tested none, default and Strict SSL:

Moritz_0-1641402005330.png

 

How can I debug this. Trace a request and look into the SSL header? Have not done anything like this before. No experience with it.

 

Cyber Elite
Cyber Elite

@Moritz,

You need to look at the supported cipher suite document that @kiwi linked and pass that along to the person running your web server or load balancer. The website and the firewall need to have the same ciphers enabled so that the firewall can actually proxy the traffic. There's not a magic solution to this one, you need to work with your web admin. 

Community Team Member

Hi @Moritz ,

 

What @BPry said 🙂 !

 

My guess is that the web server offers a cipher suite that the PA doesn't support.  If you can run a PCAP you should be able to capture the SSL handshake and get information on the cipher suite being used.

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!