Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

[RFC5746] issue with ssl decryption: openssl3.0 unsafe legacy renegotiation disabled

L0 Member

Since I upgraded to the lastest fedora, all of my python/ansible script failed when they are decrypted by our palo alto ssl outbound policy.

 

After some diging, fedora 35 was using openssl 1.1.1 and fedora 36 switched to openssl 3.0: https://fedoraproject.org/wiki/Changes/OpenSSL3.0

 

On the openssl 3.0 changelog, we can find this:

OPENSSL changelog between 1.1.1 and 3.0.0 [7 sep 2021] contains:

* Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed.

 

I found a post on a stackoverflow that explain how to reenable unsecure renegociation to have a quick fix. This won't be a good solution when all our devs will be using linux and dockers with openssl 3.0 installed.

 

Is there a way to configure ssl decryption on the palo alto to enable secure renegociation ?

 

Who Me Too'd this topic