Cannot access a specific URL with weak encryption over Symantec SSL proxy

book

Article ID: 158776

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

When browsing to a specific HTTPS URL through the SSL Deep Inspection component of Symantec Web Gateway (SWG), the client browser displays a blank page. However, the client browser displays the content of other HTTPS pages.
 

 

Cause

Previous versions of SWG appliance accepted MD5 and SHA-1 encryption methods. SWG5.2.0 no longer accepts MD5 or SHA-1 encryption methods as supported encryption methods during SSL connections due to the relative weakness of these encryption methods. 

 

 

Resolution

  1. Confirm that the connection failure between SWG and the web site is specific to the encryption handshake.
  2. Do one of the following:
    - If the connection failure is specific to the connection handshake, workaround temporarily by creating an SSL Intercept Exception within the Interception policy for the specific site. Contact the Technical Contact for the domain to request that they support stronger encryption for SSL.
    - If the site in question does not meet the security policy or usage requirements of your organization, make no changes within SWG and consider blocking the site by IP address at your firewall.

 

To confirm that the connection failure is specific to the encryption handshake

  • Collect a packet capture while reproducing the symptom
  • Compare the packet capture to the example below to confirm that the ssh connection is failing during handshake. In the example below, SWG's IP address on the LAN interface is 10.69.121.105 and the IP address of the test web server is [REMOVED]. Also note the "Handshake Failure".

 No.     Time                       Source                Destination           Protocol Info
     55 2013-12-16 15:19:19.060863 10.69.121.105         [REMOVED]        TCP      28854 > https [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=834203 TSER=0 WS=10
     57 2013-12-16 15:19:19.240976 [REMOVED]        10.69.121.105         TCP      https > 28854 [SYN, ACK] Seq=0 Ack=1 Win=4140 Len=0 MSS=1380 WS=0 TSV=4240175680 TSER=834203
     58 2013-12-16 15:19:19.241006 10.69.121.105         [REMOVED]        TCP      28854 > https [ACK] Seq=1 Ack=1 Win=6144 Len=0 TSV=834383 TSER=4240175680
     59 2013-12-16 15:19:19.241134 [REMOVED]         10.69.116.136        TLSv1    Client Hello
     60 2013-12-16 15:19:19.411070 10.69.116.136        [REMOVED]         TLSv1    Alert (Level: Fatal, Description: Handshake Failure)
     61 2013-12-16 15:19:19.411098 [REMOVED]        10.69.116.136        TCP      28854 > https [ACK] Seq=118 Ack=8 Win=6144 Len=0 TSV=834553 TSER=4240175861
     62 2013-12-16 15:19:19.411103 10.69.116.136        [REMOVED]         TCP      https > 28854 [FIN, ACK] Seq=8 Ack=118 Win=4257 Len=0 TSV=4240175861 TSER=834383
     63 2013-12-16 15:19:19.411174 [REMOVED]         10.69.116.136        TCP      28854 > https [FIN, ACK] Seq=118 Ack=9 Win=6144 Len=0 TSV=834553 TSER=4240175861
     65 2013-12-16 15:19:19.616577 10.69.116.136        [REMOVED]         TCP      https > 28854 [ACK] Seq=9 Ack=119 Win=4257 Len=0 TSV=4240176026 TSER=834553
 

To create an SSL Intercept Exception 

  1. Within the SWG user interface (UI), navigate to Policies> Configuration.
  2. On the policy with a Type of SSL that is closest to the top of the list of policies, click the Edit Policy button (the button with a picture of a pencil).
  3. Scroll down to the section labeled "SSL Intercept Exceptions".
  4. Click "Add an exception"
  5. In the "Domain Name/IP" field, type the domain name or IP address you seek to exempt from SSL Interception
  6. In the "Action" dropdown box, select Ignore.
  7. In Description, type a brief explanation, such as "site only supports MD5 encryption".


 


Applies To

  • On Administration> Configuration> Operating Mode, SWG 5.2.0 is set to either Proxy or Inline+Proxy mode.
  • On Administration> Configuration> Proxy, SSL Deep Inspection is checked.
  • The client browser is configured to point HTTPS traffic to the IP and address of the SSL Deep Inspection port on the IP address of the SWG appliance. (This setting might either be configured in the Internet Options on  Connection> LAN Settings> Advanced or in a proxy.pac file.)