SSL Decryption Not Working due to Unsupported Cipher Suites

SSL Decryption Not Working due to Unsupported Cipher Suites

77960
Created On 09/25/18 19:48 PM - Last Modified 08/03/23 11:18 AM


Resolution


Issue

With Inbound SSL decryption, after the required configuration and import of all required certificates, the inbound SSL decryption is not working on the web server.

 

Similarly when using SSL Forward Proxy, sessions are either not getting decrypted and continue to show as application"ssl", or connections are not allowed through as application "ssl" and are instead being interrupted.

 

Check out the following compatibility matrix to see which cipher suites are supported according to PAN-OS release and feature or function :

 

Supported Cipher Suites

 

Using the following CLI command, look for the type of drop message:

> show counter global filter delta yes | match ssl_sess_id_resume_drop

 

From PAN-OS 6.0 and above, the show counter global command will show if a cipher suite is unsupported.

With a PCAP filter applied and using delta counters:

> show counter global filter packet-filter yes delta yes

or

> show counter global filter delta yes | match "ssl_server_cipher_not_supported"

 

...

...

ssl_server_cipher_not_supported 2 0 warn ssl pktproc The cipher chosen by server is not supported

 

Resolution

Disable the unsupported cipher suites on the web server.

 

owner: panagent



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle3CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language