GlobalCounters: ssl_extended_master_secret And proxy_decrypt_error_overall

GlobalCounters: ssl_extended_master_secret And proxy_decrypt_error_overall

14453
Created On 01/21/20 08:13 AM - Last Modified 10/07/20 23:50 PM


Symptom


  • Website browser error displays:
This site can't provide a secure connection. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
proxy_decrypt_error_overall
Overall number of decrypt error (not including cert validation and unsupport param)
ssl_extended_master_secret
Number of ssl session created using extended master extension
discard unknown cipher id
parse client hello error 0 not excluded
 
 

Environment


  • Palo Alto Networks Firewalls configured with decryption.

Cause


  • EC Diffie-Hellman Server Named Curve: x25519 (0x001d) is not supported on OS 8.1.x

Resolution


 On the server please disable only the elliptical curve 22519.

Additional Information


Supported Elliptical Curve in Pan OS 8.1.x

SSL/TLS Decryption—NIST-approved Elliptical Curves
P-192 (secp192r1)
P-224 (secp224r1)
P-256 (secp256r1)
P-384 (secp384r1)
P-521 (secp521r1)

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-supported-in-pan-os-8-1/cipher-suites-supported-in-pan-os-8-1-decryption.html#id181GE0UF0HR
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POIqCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language