How to Identify Root Cause for SSL Decryption Failure Issues

Overview

This document provides instructions on how to identify decryption failures due to an unsupported cipher suite.

Check out the following compatibility matrix to confirm the currently supported cipher suites :

Supported Cipher Suites

Issue

In this example, the SSL proxy decryption fails because the server only supports Diffie-Hellman (DH) and Elliptec Curve Ephemeral Diffie-Hellman (ECDHE).

Follow these steps to confirm the issue:

1. Run a packet capture from the Palo Alto Networks device (see How to Run a Packet Capture). Examine Client Hello packets sent by the client and the response packets sent by the server. Look for "Handshake Failure," which is shown below.
   
2. View the Cipher Suites supported by the client or Palo Alto Networks device in the Client Hello packets.
   
3. Using the SSL scan tool https://www.ssllabs.com/ssltest/index.html, find out which cipher suites are supported by the server. See this example:
   

The output above confirms that the issue is due to unsupported cipher suites.

Resolution

Create a No Decrypt policy.

1. Create a Custom URL Category for that site.
   1. Go to > Objects > URL Category.
   2. Click on the Add button.
   3. Name the Custom URL Category.
   4. Click the Add button and then add the server's site and commit.
      
2. Create a Decryption Policy with a No Decrypt action of that URL site.
   1. Go to Policies > Decryption.
   2. Select the Decryption Rule.
   3. Clone the Decryption Rule.
   4. Move the Clone Decryption Policy above the Decryption Policy.
   5. Click on the Clone Decryption Policy > URL Category.
   6. Click on the Add button.
   7. Add the URL site and commit.
      

owner: ssastera