正解:A,D
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-decryption-exceptions Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions. Block sessions with unsupported versions and cipher suites, and that require using client authentication. <-- this req client Auth, which is not stated Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates. Define the protocol versions and key exchange, encryption, and authentication algorithms allowed for SSL Forward Proxy and SSL Inbound Inspection traffic in the SSL Protocol Settings.