Palo Alto Networks Knowledgebase: SSL decrypt exclude cache and unsupported ECDHE cipher suites

SSL decrypt exclude cache and unsupported ECDHE cipher suites

7044
Created On 02/20/19 21:27 PM - Last Updated 02/21/19 16:51 PM
Certificate Profile SSL Forward Proxy SSL Inbound Inspection Decryption PAN-OS
Resolution

 

If a website or destination only supports ECDHE SSL ciphers, then SSL decryption forward proxy will not work.

This is attributed to the unsupported ECDHE cipher suites, which is not supported for the forward proxy feature.

 

Let's take a look how the SSL decryption forward proxy feature handles unsupported SSL ECDHE cipher suites.

  • The client sends an SSL hello to the website or destination host. The client hello includes all the SSL cipher suites it supports, which include the ECDHE cipher suites. The Palo Alto Networks firewall intercepts the client hello packet, selects the supported ciphers from this list (removing the ECDHE ones), re-crafts the SSL client hello and proxies it to the website.
  • The website or destination host replies with an SSL HANDSHAKE failure: error code 40- unsupported ciphers, if the wesbite does not support non-ECDHE ciphers.
  • The packet containing 'SSL HANDSHAKE failure: error code 40- unsupported ciphers' is the trigger for the Palo Alto Networks firewall to know that the website or destination host does not support the proposed SSL cipher suites. The Palo Alto Networks firewall gives up decryption for this website and populates its 'ssl-decrypt exclude cache.'
  • From now on, the Palo Alto Networks firewall will not proxy any subsequent connections to this website or destination host.
  • The lifetime of the SSL decrypt exclude cache is 12 hours. It persists as long as there's no change made to the decryption policy. 
  • On collecting another packet capture on the firewall in the received and transmit stage and comparing them you can see that SSL ciphers proposed in the client hello, by the actual client machine behind the Palo Alto Networks firewall and the one relayed by the firewall are the same. Thereby SSL decryption forward proxy is bypassed.

Beginning PAN-OS 7.0.1 and onwards

SSLv3 is the minimum version of SSL protocol that is supported. It is not supported in FIPS mode though.

SSL decrypt excludes cache functions in tandem as per the configured parameters.

 

The server URL/IP, App and decryption profile are put in exclude cache if:
Decryption mode is SSL Forward Proxy "Block sessions with unsupported version" and "Block sessions with unsupported cipher suites" are unchecked.
The failure is because of the server side, rather than the client side.


It's either in the server hello or in an alert from the server.


For example:

 

PA-VM> show system setting ssl-decrypt exclude-cache

VSYS    SERVER                     APP    TIMEOUT      REASON                             DECRYPTED_APP      PROFILE
1            91.185.164.129:443    ssl       43186            SSL_UNSUPPORTED        undecided                    Decrypt Stream
 

In the above output from the command line of the Palo Alto Networks firewall:
VSYS: 1 is the id of the default virtual system 1 (vsys1)
SERVER: 91.185.164.129 is the IP address of the website / destination host

APP: ssl, reflects the ssl application 

TIMEOUT: 43186 is the lifetime of the cached entry in seconds. The maximum cache lifetime is 12 hours or 43200 secs
REASON--SSL_UNSUPPORTED: implies unsupported ssl cipher suites and hence an entry in the exclude cache
DECRYPTED_APP: undecided, as the website wasn't decrypted so the firewall doesn't know the underlying application 

PROFILE: Decrypt Stream is the name of the decryption profile, which is referenced in the ssl decryption policy.

 

The cache can be cleared using the following CLI options:
 

PA-VM> debug dataplane reset ssl-decrypt exclude-cache
+ application       application
+ server server   address and port
 


For example:

PA-VM> debug dataplane reset ssl-decrypt exclude-cache application ssl server 91.185.164.129:443


 


Additional Information

Please refer to the PAN-OS new features guide for the enhancements made to SSL decryption feature for more information.
New Features Guide

 

Read this article for more information about unsupported ssl cipher suits:

Unsupported SSL cipher suites for Decryption



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfGCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language