Cannot access a specific URL with weak encryption over Symantec SSL proxy


Article ID: 158776


Updated On:


Web Gateway


When browsing to a specific HTTPS URL through the SSL Deep Inspection component of Symantec Web Gateway (SWG), the client browser displays a blank page. However, the client browser displays the content of other HTTPS pages.



Previous versions of SWG appliance accepted MD5 and SHA-1 encryption methods. SWG5.2.0 no longer accepts MD5 or SHA-1 encryption methods as supported encryption methods during SSL connections due to the relative weakness of these encryption methods. 




  1. Confirm that the connection failure between SWG and the web site is specific to the encryption handshake.
  2. Do one of the following:
    - If the connection failure is specific to the connection handshake, workaround temporarily by creating an SSL Intercept Exception within the Interception policy for the specific site. Contact the Technical Contact for the domain to request that they support stronger encryption for SSL.
    - If the site in question does not meet the security policy or usage requirements of your organization, make no changes within SWG and consider blocking the site by IP address at your firewall.


To confirm that the connection failure is specific to the encryption handshake

  • Collect a packet capture while reproducing the symptom
  • Compare the packet capture to the example below to confirm that the ssh connection is failing during handshake. In the example below, SWG's IP address on the LAN interface is and the IP address of the test web server is [REMOVED]. Also note the "Handshake Failure".

 No.     Time                       Source                Destination           Protocol Info
     55 2013-12-16 15:19:19.060863         [REMOVED]        TCP      28854 > https [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=834203 TSER=0 WS=10
     57 2013-12-16 15:19:19.240976 [REMOVED]         TCP      https > 28854 [SYN, ACK] Seq=0 Ack=1 Win=4140 Len=0 MSS=1380 WS=0 TSV=4240175680 TSER=834203
     58 2013-12-16 15:19:19.241006         [REMOVED]        TCP      28854 > https [ACK] Seq=1 Ack=1 Win=6144 Len=0 TSV=834383 TSER=4240175680
     59 2013-12-16 15:19:19.241134 [REMOVED]        TLSv1    Client Hello
     60 2013-12-16 15:19:19.411070        [REMOVED]         TLSv1    Alert (Level: Fatal, Description: Handshake Failure)
     61 2013-12-16 15:19:19.411098 [REMOVED]        TCP      28854 > https [ACK] Seq=118 Ack=8 Win=6144 Len=0 TSV=834553 TSER=4240175861
     62 2013-12-16 15:19:19.411103        [REMOVED]         TCP      https > 28854 [FIN, ACK] Seq=8 Ack=118 Win=4257 Len=0 TSV=4240175861 TSER=834383
     63 2013-12-16 15:19:19.411174 [REMOVED]        TCP      28854 > https [FIN, ACK] Seq=118 Ack=9 Win=6144 Len=0 TSV=834553 TSER=4240175861
     65 2013-12-16 15:19:19.616577        [REMOVED]         TCP      https > 28854 [ACK] Seq=9 Ack=119 Win=4257 Len=0 TSV=4240176026 TSER=834553

To create an SSL Intercept Exception 

  1. Within the SWG user interface (UI), navigate to Policies> Configuration.
  2. On the policy with a Type of SSL that is closest to the top of the list of policies, click the Edit Policy button (the button with a picture of a pencil).
  3. Scroll down to the section labeled "SSL Intercept Exceptions".
  4. Click "Add an exception"
  5. In the "Domain Name/IP" field, type the domain name or IP address you seek to exempt from SSL Interception
  6. In the "Action" dropdown box, select Ignore.
  7. In Description, type a brief explanation, such as "site only supports MD5 encryption".


Applies To

  • On Administration> Configuration> Operating Mode, SWG 5.2.0 is set to either Proxy or Inline+Proxy mode.
  • On Administration> Configuration> Proxy, SSL Deep Inspection is checked.
  • The client browser is configured to point HTTPS traffic to the IP and address of the SSL Deep Inspection port on the IP address of the SWG appliance. (This setting might either be configured in the Internet Options on  Connection> LAN Settings> Advanced or in a proxy.pac file.)