How to Identify Root Cause for SSL Decryption Failure Issues
165622
Created On 09/26/18 13:47 PM - Last Modified 12/02/22 19:12 PM
Symptom
- How to identify decryption failures due to an unsupported cipher suite.
- Check out the following compatibility matrix to confirm the currently Supported Cipher Suites
Environment
- Palo Alto Firewall
- PAN-OS 8.1, 9.1, 10.1,10.2
- SSL Decryption
Cause
In this example, the SSL proxy decryption fails because the server only supports Diffie-Hellman (DH) and Elliptec Curve Ephemeral Diffie-Hellman (ECDHE).
Follow these steps to confirm the issue:
- Run a packet capture from the Palo Alto Networks device (see How to Run a Packet Capture). Examine Client Hello packets sent by the client and the response packets sent by the server. Look for "Handshake Failure," which is shown below.
- View the Cipher Suites supported by the client or Palo Alto Networks device in the Client Hello packets.
- Using the SSL scan tool https://www.ssllabs.com/ssltest/index.html, find out which cipher suites are supported by the server. See this example:
The output above confirms that the issue is due to unsupported cipher suites.