List of supported Signature Algorithms for SSL Inbound Inspection

List of supported Signature Algorithms for SSL Inbound Inspection

18858
Created On 08/13/19 03:14 AM - Last Modified 12/04/19 22:24 PM


Question


Which signature algorithms are supported on PAN-OS for SSL inbound inspection ?

Environment


  • Palo Alto Firewall.
  • PAN-OS 8.0 and above.
  • SSL inbound inspection configured.

Answer


Palo Alto Firewall supports SSL inbound inspection with the following hash algorithms. Enable the web server with only following signature hash algorithms,
  • RSA, MD5
  • RSA, MD2
  • RSA, SHA
  • RSA, SHA256
  • RSA, SHA384
  • RSA, SHA512
  • ECDSA, SHA
  • ECDSA, SHA256
  • ECDSA, SHA384
  • ECDSA, SHA512

Additional Information


  • A web-server is hosted on Apache or IIS server.
  • The connection fails with Decrypt Error due to unsupported signature hash algorithm in server key exchange.
  • When server key exchange is completed using ECDHE, the client offers Signature Hash Algorithms that might have 'pss' if using Google Chrome or Mozilla Firefox.
  • The server can select 'pss' signature hash algorithm that is not supported on PAN-OS.
Following is an example where the decryption was failed due to 'pss' signature hash algorithm.
  • Client Hello
User-added image
  • Server Hello Done
User-added image
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMaTCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail