Palo Alto Networks Knowledgebase: How Palo Alto Networks Identifies HTTPS Applications Without Decryption

How Palo Alto Networks Identifies HTTPS Applications Without Decryption

11433
Created On 08/05/19 19:57 PM - Last Updated 08/05/19 20:11 PM
Resolution

Details

Palo Alto Networks firewall's can identify applications that use HTTP over SSL/TLS or HTTPS without performing decryption. During the SSL encrypted session, the firewall receives server "hello packets", which has the certificate details or the server can send a separate certificate packet. The firewall looks for the X.509 digital certificate received from the server and inspects the common name field in the SSL Handshake Protocol.

For example, if a user accesses, https://www.linkedin.com, the common name in the server certificate has www.linkedin.com and the firewall identifies the application as "linkedin-base". See the following Wireshark Snippet, note the bolded items:

No. Time                       Source               Destination          Protocol Length Destination Port Info

581 2014-07-09 04:49:11.642886 216.52.242.80        10.66.24.90          TLSv1    94     Server Hello, Certificate, Server Hello Done

Secure Sockets Layer

    TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages

        Content Type: Handshake (22)

        Version: TLS 1.0 (0x0301)

        Length: 2955

        Handshake Protocol: Server Hello

            Handshake Type: Server Hello (2)

            Length: 70

            Version: TLS 1.0 (0x0301)

            Random

                gmt_unix_time: Jul  8, 2014 23:49:11.000000000 Central Daylight Time

                random_bytes: 435006774d041fcc1c8a9f609e36263e393c774208d11a0c...

            Session ID Length: 32

            Session ID: c8cb87d3951e03919c5144d2eec8a6ee296ff0a0060becd7...

            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

            Compression Method: null (0)

        Handshake Protocol: Certificate

            Handshake Type: Certificate (11)

            Length: 2873

            Certificates Length: 2870

            Certificates (2870 bytes)

                Certificate Length: 1693

                Certificate (id-at-commonName=www.linkedin.com,id-at-organizationName=LinkedIn Corporation,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)

                    signedCertificate

                        version: v3 (2)

                        serialNumber : 0x0c4f4df5ea1b98e01d8aafa51e205da2

                        signature (shaWithRSAEncryption)

                        issuer: rdnSequence (0)

                        validity

                        subject: rdnSequence (0)

                        rdnSequence: 5 items (id-at-commonName=www.linkedin.com,id-at-organizationName=LinkedIn Corporation,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)

                                RDNSequence item: 1 item (id-at-countryName=US)

                                RDNSequence item: 1 item (id-at-stateOrProvinceName=California)

                                RDNSequence item: 1 item (id-at-localityName=Mountain View)

                                RDNSequence item: 1 item (id-at-organizationName=LinkedIn Corporation)

                                RDNSequence item: 1 item (id-at-commonName=www.linkedin.com)

                                    RelativeDistinguishedName item (id-at-commonName=www.linkedin.com)

                                        Id: 2.5.4.3 (id-at-commonName)

                                        DirectoryString: printableString (1)

                                            printableString: www.linkedin.com

                        subjectPublicKeyInfo

                        extensions: 9 items

                    algorithmIdentifier (shaWithRSAEncryption)

                    Padding: 0

                    encrypted: 5d7d0a416cbfdde19ba0525a84eb866d0b9f14214e3e5d61...

                Certificate Length: 1171

                Certificate (id-at-commonName=DigiCert Secure Server CA,id-at-organizationName=DigiCert Inc,id-at-countryName=US)

        Handshake Protocol: Server Hello Done

Note: If the common name includes a wildcard such as *.google.com, then the application is identified as SSL. Hence, the common name in the server certificate must be in a complete host-domain format or equal to the name of the web address being accessed such as www.linkedin.com.

For example, if a user access https://www.youtube.com, the common name in the server certificate has *.google.com and the firewall identifies the application as "ssl". See the following Wireshark Snippet, note the items in bold:

No. Time                       Source                Destination          Protocol Length Destination Port Info

55  2014-07-09 05:15:23.727751 74.125.227.129        10.66.24.90          TLSv1.2  1065   Certificate

Secure Sockets Layer

    TLSv1.2 Record Layer: Handshake Protocol: Certificate

        Content Type: Handshake (22)

        Version: TLS 1.2 (0x0303)

        Length: 3614

        Handshake Protocol: Certificate

            Handshake Type: Certificate (11)

            Length: 3610

            Certificates Length: 3607

            Certificates (3607 bytes)

                Certificate Length: 1669

                Certificate (id-at-commonName=*.google.com,id-at-organizationName=Google Inc,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)

                    signedCertificate

                        version: v3 (2)

                        serialNumber: -854736928

                        signature (shaWithRSAEncryption)

                        issuer: rdnSequence (0)

                        validity

                        subject: rdnSequence (0)

                          rdnSequence: 5 items (id-at-commonName=*.google.com,id-at-organizationName=Google Inc,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)

                                RDNSequence item: 1 item (id-at-countryName=US)

                                RDNSequence item: 1 item (id-at-stateOrProvinceName=California)

                                RDNSequence item: 1 item (id-at-localityName=Mountain View)

                                RDNSequence item: 1 item (id-at-organizationName=Google Inc)

                                RDNSequence item: 1 item (id-at-commonName=*.google.com)

                                    RelativeDistinguishedName item (id-at-commonName=*.google.com)

                                        Id: 2.5.4.3 (id-at-commonName)

                                        DirectoryString: uTF8String (4)

                                            uTF8String: *.google.com

                        subjectPublicKeyInfo

                        extensions: 9 items

                    algorithmIdentifier (shaWithRSAEncryption)

                    Padding: 0

                    encrypted: 205567f13b2171e5a24dd3898a40d02d512aacee651922e5...

                Certificate Length: 1032

                Certificate (id-at-commonName=Google Internet Authority G2,id-at-organizationName=Google Inc,id-at-countryName=US)

                Certificate (id-at-commonName=GeoTrust Global CA,id-at-organizationName=GeoTrust Inc.,id-at-countryName=US)

Secure Sockets Layer


owner: gchandrasekaran



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language