How to Identify Root Cause for SSL Decryption Failure Issues
106522
Created On 09/26/18 13:47 PM - Last Modified 09/14/20 22:33 PM
Symptom
- How to identify decryption failures due to an unsupported cipher suite.
- Check out the following compatibility matrix to confirm the currently Supported Cipher Suites
:
Environment
- PAN-OS
- SSL Decryption
Cause
In this example, the SSL proxy decryption fails because the server only supports Diffie-Hellman (DH) and Elliptec Curve Ephemeral Diffie-Hellman (ECDHE).
Follow these steps to confirm the issue:
- Run a packet capture from the Palo Alto Networks device (see How to Run a Packet Capture). Examine Client Hello packets sent by the client and the response packets sent by the server. Look for "Handshake Failure," which is shown below.
- View the Cipher Suites supported by the client or Palo Alto Networks device in the Client Hello packets.
- Using the SSL scan tool https://www.ssllabs.com/ssltest/index.html, find out which cipher suites are supported by the server. See this example:
The output above confirms that the issue is due to unsupported cipher suites.
Resolution
Attachments