Some HTTPS websites will not load using the ProxySG appliance

book

Article ID: 166930

calendar_today

Updated On:

Products

Asset Management Solution ProxySG Software - SGOS

Issue/Introduction

Some HTTPS web sites will not load correctly unless protocol detection is disabled for the site.

 

 

Cause

In some cases, this will occur because the web site wants to use the cipher ECDHE.

As of 6.5.7.5 the following variants of ECDHE-RSA have been added:
  • ECDHE-RSA-AES128-SHA (0xC013)
  • ECDHE-RSA-AES256-SHA (0xC014)
  • ECDHE-RSA-AES128-SHA256 (0xC027)
  • ECDHE-RSA-AES128-GCM-SHA256 (0xC02F)
  • ECDHE-RSA-RC4-SHA (0xC011)
  • ECDHE-ECDSA-AES128-SHA256 (0xC023)
  • ECDHE-ECDSA-AES128-GCM-SHA256 (0xC02B)
  • ECDHE-ECDSA-RC4-SHA (0xC007)
  • ECDHE-ECDSA-AES128-SHA (0xC009)
  • ECDHE-ECDSA-AES256-SHA (0xC00A)
Check the newer release notes for other versions of SGOS to confirm if other variants or newer cipher suites have been added.
 

Resolution

Upgrade to 6.5.7.7. to fix an issue with certain certificates, and to get the 6.5.6.1 and 6.5.7.1 added cipher support.
 

Workaround

Adding the following CPL code to local policy will disable Protocol Detection for the specified site.
 
<Proxy>
Allow url.regex="website.com" detect_protocol(no)