Decryption fails with an error when the website uses HSTS
34878
Created On 07/22/19 19:12 PM - Last Modified 09/04/19 16:45 PM
Symptom
- After enabling decryption on firewall an error is seen that your connection is not private as seen below:
Environment
- Global Protect Cloud Service
- Customer PC device
- SSL Decryption Forward proxy is configured on the firewall which is processing the SSL traffic
Cause
- The issue is some web browsers support HSTS, which is a web security policy mechanism that forces web browsers to interact with websites only via secure HTTPS connections (and never HTTP). This helps to prevent protocol downgrade attacks and cookie hijacking.
Resolution
1. Make sure the certificate used for decryption is installed in the client machine store
2. On the firewall which is doing the decryption should have the certificate used for decryption marked as "Trusted Root CA" as seen below
Additional Information
- For more in-depth details on configuring SSL decryption, please refer to the following link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC
- For more information on HTTPS Strict Transport Security (HSTS), please refer to the following external article: https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/