SSL Decryption fails for certain HTTPS sites with error: ERR_SSL_PROTOCOL_ERROR ;client hs_type 0

SSL Decryption fails for certain HTTPS sites with error: ERR_SSL_PROTOCOL_ERROR ;client hs_type 0

Created On 01/21/20 11:15 AM - Last Modified 08/20/20 08:55 AM


SSL Decryption fails for certain HTTPS sites with error:  ERR_SSL_PROTOCOL_ERROR


Client---------> PA( decryption ) ----------> Internet --HTTPs sites
Forward-Proxy configured on the PA firewall

Information needed for troubleshooting:
  1. Client machine pcap
  2. All four stages on the firewall involved with decryption
  3. Flow Basic
  4. SSL Basic
  5. Proxy Basic


Access to certain sites fails with decryption when client requests for ssl renegotiation while existing handshake is on-going. This is triggered from the client side and can be seen on the Client Key exchange with type 0 Hello Request.

PA does not support SSL/TLS Renegotiation.


Create Decryption exception for the HTTPS sites that fail due to SSL renegotiation.

Additional Information

Log Snippets:
2019-12-13 04:14:37.418 -0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1039): unexpected message client hs_type 0 <<<
2019-12-13 04:14:37.418 -0800 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:242): pan_ssl3_process_handshake_msg() failed -1
2019-12-13 04:14:37.418 -0800 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:610): pan_ssl_parse_record() failed[57615]-->[443] <<<<<<<
2019-12-13 04:14:37.418 -0800 pan_proxy_handle_error(pan_proxy.c:2118): handle error -1
2019-12-13 04:14:37.418 -0800 debug: pan_proxy_ssl_check_block_error(pan_proxy.c:2102): In session(7846), encounters error_id(-1 PAN_SSL_ERROR_GENERAL), action: skip <<<<<<<
2019-12-13 04:14:37.418 -0800 debug: pan_proxy_ssl_proc_data(pan_proxy_ssl.c:1040): pan_ssl_proxy_parse_data() failed -1, not block[443]-->[4708]

PCAP: Session-ID field in Client Hello Request.

  • Print
  • Copy Link

Choose Language