How to Identify Root Cause for SSL Decryption Failure Issues
154541
Created On 09/26/18 13:47 PM - Last Modified 12/02/22 19:12 PM
Symptom
- How to identify decryption failures due to an unsupported cipher suite.
- Check out the following compatibility matrix to confirm the currently Supported Cipher Suites
Environment
- Palo Alto Firewall
- PAN-OS 8.1, 9.1, 10.1,10.2
- SSL Decryption
Cause
In this example, the SSL proxy decryption fails because the server only supports Diffie-Hellman (DH) and Elliptec Curve Ephemeral Diffie-Hellman (ECDHE).
Follow these steps to confirm the issue:
- Run a packet capture from the Palo Alto Networks device (see How to Run a Packet Capture). Examine Client Hello packets sent by the client and the response packets sent by the server. Look for "Handshake Failure," which is shown below.
- View the Cipher Suites supported by the client or Palo Alto Networks device in the Client Hello packets.
- Using the SSL scan tool https://www.ssllabs.com/ssltest/index.html, find out which cipher suites are supported by the server. See this example:
The output above confirms that the issue is due to unsupported cipher suites.
Resolution
Create a No Decrypt policy.
- Create a Custom URL Category for that site.
- Go to > Objects > URL Category.
- Click on the Add button.
- Name the Custom URL Category.
- Click the Add button and then add the server's site and commit.
- Create a Decryption Policy with a No Decrypt action of that URL site.
- Go to Policies > Decryption.
- Select the Decryption Rule.
- Clone the Decryption Rule.
- Move the Clone Decryption Policy above the Decryption Policy.
- Click on the Clone Decryption Policy > URL Category.
- Click on the Add button.
- Add the URL site and commit.