Issue/Introduction:
Some HTTPS web sites will not load correctly unless protocol detection is disabled for the site.
Cause:
In some cases, this will occur because the web site wants to use the cipher ECDHE.
As of 6.5.7.5 the following variants of ECDHE-RSA have been added:
- ECDHE-RSA-AES128-SHA (0xC013)
- ECDHE-RSA-AES256-SHA (0xC014)
- ECDHE-RSA-AES128-SHA256 (0xC027)
- ECDHE-RSA-AES128-GCM-SHA256 (0xC02F)
- ECDHE-RSA-RC4-SHA (0xC011)
- ECDHE-ECDSA-AES128-SHA256 (0xC023)
- ECDHE-ECDSA-AES128-GCM-SHA256 (0xC02B)
- ECDHE-ECDSA-RC4-SHA (0xC007)
- ECDHE-ECDSA-AES128-SHA (0xC009)
- ECDHE-ECDSA-AES256-SHA (0xC00A)
Check the newer release notes for other versions of SGOS to confirm if other variants or newer cipher suites have been added.
Resolution:
Upgrade to 6.5.7.7. to fix an issue with certain certificates, and to get the 6.5.6.1 and 6.5.7.1 added cipher support.
Workaround
Adding the following CPL code to local policy will disable Protocol Detection for the specified site.
<Proxy>
Allow url.regex="website.com" detect_protocol(no)