How Palo Alto Networks Identifies HTTPS Applications Without Decryption
Resolution
Details
Palo Alto Networks firewall's can identify applications that use HTTP over SSL/TLS or HTTPS without performing decryption. During the SSL encrypted session, the firewall receives server "hello packets", which has the certificate details or the server can send a separate certificate packet. The firewall looks for the X.509 digital certificate received from the server and inspects the common name field in the SSL Handshake Protocol.
For example, if a user accesses, https://www.linkedin.com, the common name in the server certificate has www.linkedin.com and the firewall identifies the application as "linkedin-base". See the following Wireshark Snippet, note the bolded items:
No. Time Source Destination Protocol Length Destination Port Info
581 2014-07-09 04:49:11.642886 216.52.242.80 10.66.24.90 TLSv1 94 Server Hello, Certificate, Server Hello Done
Secure Sockets Layer
TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 2955
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 70
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: Jul 8, 2014 23:49:11.000000000 Central Daylight Time
random_bytes: 435006774d041fcc1c8a9f609e36263e393c774208d11a0c...
Session ID Length: 32
Session ID: c8cb87d3951e03919c5144d2eec8a6ee296ff0a0060becd7...
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Method: null (0)
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 2873
Certificates Length: 2870
Certificates (2870 bytes)
Certificate Length: 1693
Certificate (id-at-commonName=www.linkedin.com,id-at-organizationName=LinkedIn Corporation,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)
signedCertificate
version: v3 (2)
serialNumber : 0x0c4f4df5ea1b98e01d8aafa51e205da2
signature (shaWithRSAEncryption)
issuer: rdnSequence (0)
validity
subject: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=www.linkedin.com,id-at-organizationName=LinkedIn Corporation,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RDNSequence item: 1 item (id-at-localityName=Mountain View)
RDNSequence item: 1 item (id-at-organizationName=LinkedIn Corporation)
RDNSequence item: 1 item (id-at-commonName=www.linkedin.com)
RelativeDistinguishedName item (id-at-commonName=www.linkedin.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: www.linkedin.com
subjectPublicKeyInfo
extensions: 9 items
algorithmIdentifier (shaWithRSAEncryption)
Padding: 0
encrypted: 5d7d0a416cbfdde19ba0525a84eb866d0b9f14214e3e5d61...
Certificate Length: 1171
Certificate (id-at-commonName=DigiCert Secure Server CA,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
Handshake Protocol: Server Hello Done
Note: If the common name includes a wildcard such as *.google.com, then the application is identified as SSL. Hence, the common name in the server certificate must be in a complete host-domain format or equal to the name of the web address being accessed such as www.linkedin.com.
For example, if a user access https://www.youtube.com, the common name in the server certificate has *.google.com and the firewall identifies the application as "ssl". See the following Wireshark Snippet, note the items in bold:
No. Time Source Destination Protocol Length Destination Port Info
55 2014-07-09 05:15:23.727751 74.125.227.129 10.66.24.90 TLSv1.2 1065 Certificate
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 3614
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 3610
Certificates Length: 3607
Certificates (3607 bytes)
Certificate Length: 1669
Certificate (id-at-commonName=*.google.com,id-at-organizationName=Google Inc,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)
signedCertificate
version: v3 (2)
serialNumber: -854736928
signature (shaWithRSAEncryption)
issuer: rdnSequence (0)
validity
subject: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=*.google.com,id-at-organizationName=Google Inc,id-at-localityName=Mountain View,id-at-stateOrProvinceName=California,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RDNSequence item: 1 item (id-at-stateOrProvinceName=California)
RDNSequence item: 1 item (id-at-localityName=Mountain View)
RDNSequence item: 1 item (id-at-organizationName=Google Inc)
RDNSequence item: 1 item (id-at-commonName=*.google.com)
RelativeDistinguishedName item (id-at-commonName=*.google.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: *.google.com
subjectPublicKeyInfo
extensions: 9 items
algorithmIdentifier (shaWithRSAEncryption)
Padding: 0
encrypted: 205567f13b2171e5a24dd3898a40d02d512aacee651922e5...
Certificate Length: 1032
Certificate (id-at-commonName=Google Internet Authority G2,id-at-organizationName=Google Inc,id-at-countryName=US)
Certificate (id-at-commonName=GeoTrust Global CA,id-at-organizationName=GeoTrust Inc.,id-at-countryName=US)
Secure Sockets Layer
owner: gchandrasekaran