How to Identify Root Cause for SSL Decryption Failure Issues

How to Identify Root Cause for SSL Decryption Failure Issues

59116
Created On 09/26/18 13:47 PM - Last Updated 09/14/20 22:33 PM


Symptom
  • How to identify decryption failures due to an unsupported cipher suite.
  • Check out the following compatibility matrix to confirm the currently Supported Cipher Suites



:

 



Environment
  • PAN-OS
  • SSL Decryption


Cause
In this example, the SSL proxy decryption fails because the server only supports Diffie-Hellman (DH) and Elliptec Curve Ephemeral Diffie-Hellman (ECDHE).
Follow these steps to confirm the issue:
  1. Run a packet capture from the Palo Alto Networks device (see How to Run a Packet Capture). Examine Client Hello packets sent by the client and the response packets sent by the server. Look for "Handshake Failure," which is shown below.
    step-1.PNG
  2. View the Cipher Suites supported by the client or Palo Alto Networks device in the Client Hello packets.
    step-2.PNG
  3. Using the SSL scan tool https://www.ssllabs.com/ssltest/index.html, find out which cipher suites are supported by the server. See this example:
    Step-3.PNG

The output above confirms that the issue is due to unsupported cipher suites.



Resolution

Create a No Decrypt policy.

  1. Create a Custom URL Category for that site.
    1. Go to > Objects > URL Category.
    2. Click on the Add button.
    3. Name the Custom URL Category.
    4. Click the Add button and then add the server's site and commit.
      WA1.PNG
  2. Create a Decryption Policy with a No Decrypt action of that URL site.
    1. Go to Policies > Decryption.
    2. Select the Decryption Rule.
    3. Clone the Decryption Rule.
    4. Move the Clone Decryption Policy above the Decryption Policy.
    5. Click on the Clone Decryption Policy > URL Category.
    6. Click on the Add button.
    7. Add the URL site and commit.
      WA2.PNG


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language