SSL Decryption fails for certain HTTPS sites with error: ERR_SSL_PROTOCOL_ERROR ;client hs_type 0
58440
Created On 01/21/20 11:15 AM - Last Modified 08/20/20 08:55 AM
Symptom
SSL Decryption fails for certain HTTPS sites with error: ERR_SSL_PROTOCOL_ERROR
Environment
Client---------> PA( decryption ) ----------> Internet --HTTPs sites
Forward-Proxy configured on the PA firewall
Information needed for troubleshooting:
- Client machine pcap
- All four stages on the firewall involved with decryption
- Flow Basic
- SSL Basic
- Proxy Basic
Cause
Access to certain sites fails with decryption when client requests for ssl renegotiation while existing handshake is on-going. This is triggered from the client side and can be seen on the Client Key exchange with type 0 Hello Request.
PA does not support SSL/TLS Renegotiation.
Resolution
Workaround:
Create Decryption exception for the HTTPS sites that fail due to SSL renegotiation.
Additional Information
Log Snippets:
2019-12-13 04:14:37.418 -0800 debug: pan_ssl3_process_handshake_msg(pan_ssl3.c:1039): unexpected message client hs_type 0 <<< 2019-12-13 04:14:37.418 -0800 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:242): pan_ssl3_process_handshake_msg() failed -1 2019-12-13 04:14:37.418 -0800 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:610): pan_ssl_parse_record() failed 192.168.54.10[57615]-->104.47.28.22[443] <<<<<<< 2019-12-13 04:14:37.418 -0800 pan_proxy_handle_error(pan_proxy.c:2118): handle error -1 2019-12-13 04:14:37.418 -0800 debug: pan_proxy_ssl_check_block_error(pan_proxy.c:2102): In session(7846), encounters error_id(-1 PAN_SSL_ERROR_GENERAL), action: skip <<<<<<< 2019-12-13 04:14:37.418 -0800 debug: pan_proxy_ssl_proc_data(pan_proxy_ssl.c:1040): pan_ssl_proxy_parse_data() failed -1, not block 104.47.28.22[443]-->10.193.82.54[4708]
PCAP: Session-ID field in Client Hello Request.