SSL 从意外消息客户端"hs_type 0"解密失败
21800
Created On 04/29/19 09:07 AM - Last Modified 07/22/25 01:07 AM
Symptom
本文解释了 SSL 解密失败与错误"意外消息客户端hs_type 0"在帕洛阿尔托网络的情况 firewall 。
Environment
SSL 解密配置上 firewall 。
Cause
请考虑下面提到的解密在上面配置的示例 SSL firewall ,源是连接到服务器 203.213.110.163 的源是 192.168.35.66。
> show session all filter destination 203.213.110.163 -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 456823 web-browsing DISCARD FLOW NS 192.168.35.66[48282]/L3-Trust/6 (10.129.82.35[61442]) vsys1 203.213.110.163[443]/L3-Untrust (203.213.110.163[443])
> show session id 456823
Session 456823
c2s flow:
source: 192.168.35.66 [L3-Trust]
dst: 203.213.110.163
proto: 6
sport: 48282 dport: 443
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 203.213.110.163 [L3-Untrust]
dst: 10.129.82.35
proto: 6
sport: 443 dport: 61442
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Wed Aug 16 16:45:54 2017
timeout : 15 sec
total byte count(c2s) : 2568
total byte count(s2c) : 3605
layer7 packet count(c2s) : 20
layer7 packet count(s2c) : 8
vsys : vsys1
application : web-browsing
rule : Trust-to-Untrust
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
address/port translation : source
nat-rule : Trust-NAT(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : computer-and-internet-info
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/3
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage firewall : proxy decrypt failure
end-reason : decrypt-error
> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no
Index 1: 192.168.35.66[0]->203.213.110.163[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 203.213.110.163[0]->10.129.82.35[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
ingress-interface any, egress-interface any, exclude non-IP
Index 3: 203.213.110.163[0]->192.168.35.66[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
flow : basic
proxy : basic timer detail
ssl : basic解密失败,因为服务器正在发送"你好请求",该请求是套管 firewall 结束会话,因为它不支持。 当启用详细调试时,在数据包诊断日志中可以看到以下错误,如下图所示的"hs_type 0"。
2017-08-16 16:45:55.392 +0800 Error: pan_ssl3_process_handshake_msg(pan_ssl3.c:1022): unexpected message client hs_type 0
2017-08-16 16:45:55.392 +0800 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:237): pan_ssl3_process_handshake_msg() failed -1
2017-08-16 16:45:55.392 +0800 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:591): pan_ssl_parse_record() failed
192.168.35.66[48282]-->203.213.110.163[443]
2017-08-16 16:45:55.392 +0800 pan_proxy_handle_error(pan_proxy.c:1878): handle error -1
2017-08-16 16:45:55.392 +0800 debug: pan_proxy_ssl_check_block_error(pan_proxy.c:1862): In session(456823), encounters error_id(-1 PAN_SSL_ERROR_GENERAL), action: skip
2017-08-16 16:45:55.392 +0800 debug: pan_proxy_ssl_proc_data(pan_proxy_ssl.c:1010): pan_ssl_proxy_parse_data() failed -1, not blockResolution
解密会话在这些情况下被丢弃,因为服务器正在发送"你好请求",这是预期的行为,因为服务器的"你好请求"不支持。