Sessions Matching Inbound-Inspection Decryption Rule Fail to be Decrypted
Resolution
Issue
Inbound SSL sessions matching a decryption rule (inbound-inspection) fail to be decrypted and are seen as SSL applications by the Palo Alto Networks device. These sessions may be dropped if a decryption profile is configured to drop sessions using unsupported cipher suites.
Cause
The behavior is due to an unsupported cipher-suite chosen by the server during SSL handshake. During SSL handshake, the client and server negotiate a master key from which a session key is derived. This session key is used to symmetrically encrypt data.
In an RSA-based key exchange mechanism, the master key is encrypted and sent by the client using server’s public key (asymmetric encryption paradigm). As the Palo Alto Networks device has the server’s private key, this master key can be decrypted and the data inspected.
However, with the Diffie-Hellman protocol the client and server use mathematical algorithms to generate the master key without directly exchanging it. The Palo Alto Networks device cannot detect it, and cannot decrypt the underlying session. Therefore, the Diffie-Hellman system is not compatible with the decryption mechanism used by the Palo Alto Networks device.
Resolution
All cipher-suites using Diffie-Hellman (DHE for Ephemeral Diffie-Hellman) protocol for session key exchange must be excluded from available cipher-suites in the targeted web server configuration.
Note: The cipher-suites modification on the web server should be performed by a web server administrator.
owner: nbilly