Azure Firewall TLS inspection fails with handshake failure, alert 40

MATEUSZ U 0 Reputation points
2024-02-17T00:40:18.0566667+00:00

interCA-old.pfx.txt

Hello, I'm trying to setup Azure Firewall with TLS inspection. I cannot get past one problem. Problem: Firewall fails to process rule. Chrome/Edge browser error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH openssl error:

$ openssl s_client -connect app-service-xyz.ase-xyz.appserviceenvironment.net:443 -servername app-service-xyz.ase-xyz.appserviceenvironment.net
CONNECTED(000001D4)
C0140000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../openssl-3.1.4/ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 386 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

My setup: Azure Firewall premium Azure Firewall policy (premium) Firewall access to Key vault: managed identity with full access (for testing purposes) IDPS: Alert mode Network setup: Two subnets, VM in subnet A, private endpoints to ASE App service in subnet B, traffic from one subnet to the other routed through firewall which is in another vnet which is peered (simulation of hub&spoke model with WAF+Firewall security stack). Application rule: From "10.1.4.0/24" (subnet A) to FQDN/URL "*.ase-xyz.appserviceenvironment.net" with TLS inspection=Yes and protocol: "Https:443". Flipping TLS Inspection to "No" makes website work correctly when loaded from VM but without certificate substitution. CA certificate: tried multiple times changing different params based on bash instructions in https://learn.microsoft.com/en-us/azure/firewall/premium-certificates, tried adding it as a secret or as a certificate to keyvault. Nothing worked. The basic certificate created according to instruction is in the attachement. Logs: Log workspace does not report any rule attempt (be it Allow or Deny) as if it was failing so early that no logging is possible yet.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
674 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.