SSL decrypt exclude cache and unsupported ECDHE cipher suites
Following is a Copy/Paste statement from Palo Alto:
If a website or destination only supports ECDHE SSL ciphers, then SSL decryption forward proxy will not work.
This is attributed to the unsupported ECDHE cipher suites, which is not supported for the forward proxy feature.
Let’s take a look how the SSL decryption forward proxy feature handles unsupported SSL ECDHE cipher suites:
The client sends an SSL hello to the website or destination host. The client hello includes all the SSL cipher suites it supports, which include the ECDHE cipher suites. The Palo Alto Networks firewall intercepts the client hello packet, selects the supported ciphers from this list (removing the ECDHE ones), re-crafts the SSL client hello and proxies it to the website.
The website or destination host replies with an SSL HANDSHAKE failure: error code 40- unsupported ciphers, if the wesbite does not support non-ECDHE ciphers.
The packet containing ‘SSL HANDSHAKE failure: error code 40- unsupported ciphers’ is the trigger for the Palo Alto Networks firewall to know that the website or destination host does not support the proposed SSL cipher suites. The Palo Alto Networks firewall gives up decryption for this website and populates its ‘ssl-decrypt exclude cache.’
From now on, the Palo Alto Networks firewall will not proxy any subsequent connections to this website or destination host.
The lifetime of the SSL decrypt exclude cache is 12 hours. It persists as long as there’s no change made to the decryption policy.
On collecting another packet capture on the firewall in the received and transmit stage and comparing them you can see that SSL ciphers proposed in the client hello, by the actual client machine behind the Palo Alto Networks firewall and the one relayed by the firewall are the same. Thereby SSL decryption forward proxy is bypassed.
On paper it may sound like a good method to bypass decryption if a website only supports encryption algorithms which Palo Alto cannot decrypt so Palo Alto would bypass decryption automatically and put the resource into exclude-cache. This happens ONLY when the website replied back to the “Hello” request from Palo Alto and explicitly informed about unsupported ciphers. Many websites keep silent though and Palo Alto does not receive this info so it never allows a client to connect to the website unless you manually override decryption for it. If you did packet capture for interesting traffic, you would find out server never relied to “Hello” requests from Palo Alto if no supported ciphers were negotiated.
show system setting ssl-decrypt exclude-cache | match <ip> // This command will help verify if there is "cipher mismtach" issue between internal clients and external websites.
show session all filter ssl-decrypt [yes|no] source <ip> destination <ip> // This command will show active sessions filtered by ssl-decryption status.
show counter global filter delta yes | match "ssl_server_cipher_not_supported" // This command will help verify if there is "cipher mismtach" issue between internal Web server and external clients.