The server certificate is not trusted by the firewall in the SSL/TLS handshake

The server certificate is not trusted by the firewall in the SSL/TLS handshake

6431
Created On 02/08/24 16:36 PM - Last Modified 08/26/24 14:32 PM


Symptom


  • The server certificate is not trusted by the firewall. 
  • If SSL Forward configuration is in place, the customer will get a certificate warning when navigating to the site because the server certificate will be signed with the "decrypt-untrust".
  • Logs that are visible on the firewall: 
    debug: pan_x509_validate_with_ca_hash(pan_x509.c:4122): validating tlvcorpvcvl01p.paloaltonetworks.local issued by Palo Alto Networks Inc Domain CA with hash
debug: pan_x509_validate_with_ca_hash(pan_x509.c:4129): not found: tlvcorpvcvl01p.paloaltonetworks.local <- Palo Alto Networks Inc Domain CA
  • On server-side packet capture, it is visible that the only certificate that is being sent is the leaf certificate, instead of the leaf plus the CA:Certificate_server_side.PNG

Environment


  • Any Palo Alto Networks Firewall or Panorama.
  • Any PAN-OS version.

Cause


The server should not just be sending a leaf certificate, according to the TLS RFC, all certificates in the chain should be sent except the root.

Resolution


Configure the Server to send all certificates in the chain except the root.

Additional Information


How to check certificates details on Palo Alto Firewalls?
SSL Forward Proxy
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008X3NCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language