During the decryption of traffic, some URL break with error "SEC_ERROR_BAD_SIGNATURE" on Firefox, and "ERR_CERT_AUTHORITY_INVALID" on chrome

During the decryption of traffic, some URL break with error "SEC_ERROR_BAD_SIGNATURE" on Firefox, and "ERR_CERT_AUTHORITY_INVALID" on chrome

7569
Created On 11/25/24 14:44 PM - Last Modified 07/03/25 14:29 PM


Symptom


  • The Site when visited, presents a certificate notification as untrusted 
    • On Chrome: ::ERR_CERT_AUTHORITY_INVALID
    • The Error is "SEC_ERROR_BAD_SIGNATURE" on Firefox
  • Checking the Certificate authority that signed the server certificate, shows the trusted CA certificate that is used for the forward proxy decryption.
  • Extracting the certificate from the pcap taken from the client machine, or from the browser and verifying the cert if it's signed properly against the trusted CA chain, the verification fails:
root@dmz-10:/HSM-issue/lab-analysis/testing-certs-lab# openssl verify -verbose -CAfile chain.pem not-working1.pem 
CN = *.google.com
error 7 at 0 depth lookup: certificate signature failure
error not-working1.pem: verification failed
140264511223104:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../crypto/asn1/a_verify.c:170:

    Environment


    • Palo Alto Networks Firewalls.
    • PAN-OS 10.2.x and above.
    • Forward trust ECDSA certificate with a Private key resides on HSM.

    Cause


    1. When using a forward proxy with HSM and an ECDSA signing certificate, the ASN1 encoding of an integer does not consider the data's signedness when there are leading zeros when using HSM for MitM certificate signatures. This leads to MitM certificates created by FW failing randomly when verified by the client using OpenSSL.
    2. In case of ( ECDSA ) and heavy traffic or concurrent connections to the same URL, FW is trying to create multiple MiTM certs to the same URL and using the same cert entry buffer in the cache leading to the corrupted certificate signature. 

    Resolution


    1.  Clear the SSL decrypt certificate cache by using the following command:
    admin@PA-10.2> debug dataplane reset ssl-decrypt certificate-cache 

deleted 49 cert entries.
    1. Once cleared, the issue gets resolved. The site is trusted again with no certificate errors. 
    2. The issue is fixed in the following releases and later: 
      1. 11.1.10-h1, 11.1.6-h13
      2. 10.2.15, 10.2.17, 10.2.13-h8, 10.2.10-h19
      3. 11.2.6, 11.2.8
    3. The permanent fix is to upgrade to any of the above and higher.

     

    Additional Information


    • PAN-OS Integration with SafeNet Luna SA HSM - Integration Guide.
    • Set Up Connectivity with a SafeNet Network HSM

    • Additional fixes will be incorporated as well:
      • HSM - TLS1.3 SSL Forward proxy Connection to the external network is failing for the first attempt
      • HSM- The first TLS 1.3 session for the forward proxy gets stuck when the private key of the forward-trust certificate resides on HSM.
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEXPCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language