List of supported Signature Algorithms for SSL Inbound Inspection
18858
Created On 08/13/19 03:14 AM - Last Modified 12/04/19 22:24 PM
Question
Which signature algorithms are supported on PAN-OS for SSL inbound inspection ?
Environment
- Palo Alto Firewall.
- PAN-OS 8.0 and above.
- SSL inbound inspection configured.
Answer
Palo Alto Firewall supports SSL inbound inspection with the following hash algorithms. Enable the web server with only following signature hash algorithms,
- RSA, MD5
- RSA, MD2
- RSA, SHA
- RSA, SHA256
- RSA, SHA384
- RSA, SHA512
- ECDSA, SHA
- ECDSA, SHA256
- ECDSA, SHA384
- ECDSA, SHA512
Additional Information
- A web-server is hosted on Apache or IIS server.
- The connection fails with Decrypt Error due to unsupported signature hash algorithm in server key exchange.
- When server key exchange is completed using ECDHE, the client offers Signature Hash Algorithms that might have 'pss' if using Google Chrome or Mozilla Firefox.
- The server can select 'pss' signature hash algorithm that is not supported on PAN-OS.
Following is an example where the decryption was failed due to 'pss' signature hash algorithm.
- Client Hello
- Server Hello Done