Palo Alto Networks Knowledgebase: SSL Decryption Not Working due to Unsupported Cipher Suites

SSL Decryption Not Working due to Unsupported Cipher Suites

17570
Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:05 AM
Policy
Resolution

Issue

With Inbound SSL decryption, after the required configuration and import of all required certificates, the inbound SSL decryption is not working on the web server.

 

Similarly when using SSL Forward Proxy, sessions are either not getting decrypted and continue to show as application"ssl", or connections are not allowed through as application "ssl" and are instead being interrupted.

 

Check out the following compatibility matrix to see which cipher suites are supported according to PAN-OS release and feature or function :

 

Supported Cipher Suites

 

Using the following CLI command, look for the type of drop message:

> show counter global filter delta yes | match ssl_sess_id_resume_drop

 

From PAN-OS 6.0 and above, the show counter global command will show if a cipher suite is unsupported.

With a PCAP filter applied and using delta counters:

> show counter global filter packet-filter yes delta yes

or

> show counter global filter delta yes | match "ssl_server_cipher_not_supported"

 

...

...

ssl_server_cipher_not_supported 2 0 warn ssl pktproc The cipher chosen by server is not supported

 

Resolution

Disable the unsupported cipher suites on the web server.

 

See Also

Palo Alto Networks Supported SSL/TLS Version and Cipher Suites for Web UI

 

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle3CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language