SSL Decryption: After completing SSL handshake the server sends a hello request triggering a renegotiation which caused the firewall to reset the connection.

SSL Decryption: After completing SSL handshake the server sends a hello request triggering a renegotiation which caused the firewall to reset the connection.

476
Created On 08/24/22 21:45 PM - Last Modified 11/11/25 21:15 PM


Symptom


- SSL decryption fails for certain servers and working on others. 
- Traffic log session end reason from the firewall Web UI displays decrypt-error. 

Decrypt-error in web UI

Sample proxy/ssl basic log for Hello request in the middle of an existing SSL handshake as seen from pan_packet_diag.log.

type0_hellorequest
 

Environment


  • All PANOS version
  • PA-VM or hardware based firewall
  • Decryption (Forward Proxy)

Cause


The decryption is not really failing, it is the server using unsupported handshake message that we cannot decrypt. After the handshake finishes the server sends a hello request to trigger renegotiation which is not supported on our firewall and causing the firewall to close the connection.

This is working as expected.

Resolution


1) Create a no-decrypt policy for the servers. 
2) Or, if the servers are internally hosted, it may be possible for the customers to configure their servers to not send hello request.

Additional Information


Feature Request was filed to support Hello Request on the server under FR ID 4256.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlMyCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail