Palo Alto Networks Knowledgebase: Inbound SSL Decryption Fails when SSL Compression is Enabled

Inbound SSL Decryption Fails when SSL Compression is Enabled

4446
Created On 02/07/19 23:37 PM - Last Updated 02/07/19 23:37 PM
Reporting and Logging
Resolution

Issue

Inbound SSL decryption fails even if a valid certificate and supported cipher suite are used. This may occur when Apache is used as a web server and curl (or old version of Chrome/FireFox) is used as a client.

 

Cause

The issue occurs when SSL Compression is enabled on both client and server.

To verify, take a packet capture and look for "Compression Method" in "Client Hello" and "Server Hello".

Screen Shot 2013-02-04 at 3.55.41 PM.png

Screen Shot 2013-02-04 at 3.57.23 PM.png

 

Resolution

SSL Compression is disabled by default in most of the latest clients and web servers due to a security issue called "CRIME attack". The resolution is to use newer versions of server and client software.

  • Update Apache to 2.4.3 or later which has an option to disable SSL Compression ("SSLCompression").
  • Update Curl to 7.28.1 or later.
  • Use the latest version of Chrome or FireFox.   (IE, Safari and Opera have never supported SSL Compression.)

 

owner: ymiyashita



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5OCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language