Block session with expired certificate is not working with No Decryption in TLS-1.3
5203
Created On 12/20/21 19:57 PM - Last Modified 05/09/23 03:46 AM
Symptom
When TLS version 1.3 Protocol is used, the Firewall will not block the expired certificate session with no decryption enabled.
Environment
- Palo Alto Firewalls
- PAN-OS 10.x
- SSL Decryption
- TLS Version 1.3
- "Block sessions with expired certificates " is configured under Decryption profile >No decryption.
Cause
- Under TLS version 1.3, Everything after ServerHello is encrypted
- Server certificate encryption was adopted by default,
- Firewall cannot see the certificates since those are encrypted by TLS 1.3 protocol.
- So Block session with expired certificate will not work with "No Decryption" setting.
Resolution
Enable SSL decryption. Refer Decryption
- Note: The firewall supports TLSv1.3 decryption from PAN-OS 10.0