Palo Alto Networks Knowledgebase: Inbound SSL Decryption Fails when SSL Compression is Enabled
Inbound SSL Decryption Fails when SSL Compression is Enabled
Created On 02/07/19 23:37 PM - Last Updated 02/07/19 23:37 PM
Reporting and Logging
Inbound SSL decryption fails even if a valid certificate and supported cipher suite are used. This may occur when Apache is used as a web server and curl (or old version of Chrome/FireFox) is used as a client.
The issue occurs when SSL Compression is enabled on both client and server.
To verify, take a packet capture and look for "Compression Method" in "Client Hello" and "Server Hello".
SSL Compression is disabled by default in most of the latest clients and web servers due to a security issue called "CRIME attack". The resolution is to use newer versions of server and client software.
Update Apache to 2.4.3 or later which has an option to disable SSL Compression ("SSLCompression").
Update Curl to 7.28.1 or later.
Use the latest version of Chrome or FireFox. (IE, Safari and Opera have never supported SSL Compression.)