Azure Firewall TLS inspection fails with handshake failure, alert 40
Hello, I'm trying to setup Azure Firewall with TLS inspection. I cannot get past one problem. Problem: Firewall fails to process rule. Chrome/Edge browser error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH openssl error:
$ openssl s_client -connect app-service-xyz.ase-xyz.appserviceenvironment.net:443 -servername app-service-xyz.ase-xyz.appserviceenvironment.net
CONNECTED(000001D4)
C0140000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../openssl-3.1.4/ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 386 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
My setup: Azure Firewall premium Azure Firewall policy (premium) Firewall access to Key vault: managed identity with full access (for testing purposes) IDPS: Alert mode Network setup: Two subnets, VM in subnet A, private endpoints to ASE App service in subnet B, traffic from one subnet to the other routed through firewall which is in another vnet which is peered (simulation of hub&spoke model with WAF+Firewall security stack). Application rule: From "10.1.4.0/24" (subnet A) to FQDN/URL "*.ase-xyz.appserviceenvironment.net" with TLS inspection=Yes and protocol: "Https:443". Flipping TLS Inspection to "No" makes website work correctly when loaded from VM but without certificate substitution. CA certificate: tried multiple times changing different params based on bash instructions in https://learn.microsoft.com/en-us/azure/firewall/premium-certificates, tried adding it as a secret or as a certificate to keyvault. Nothing worked. The basic certificate created according to instruction is in the attachement. Logs: Log workspace does not report any rule attempt (be it Allow or Deny) as if it was failing so early that no logging is possible yet.