Unable to access certain HTTPS sites with certain browsers when force-secure-renegotiation is enabled
Steps to reproduce :
1. Enable force-secure-renegotiation
SG200#(config ssl)force-secure-renegotiation enable
2. Intercept HTTPS traffic on SG.
3. Access https://upload.bluecoat.com/ or https://login.yahoo.co.jp/ or https://www.verisign.com/ through SG with Mozilla Firefox 16.0.1 and you will receive a "Problem loading page" or "The connection was interrupted" error.
4. This is reportedly to be affecting other browsers such as Internet Explorer and Google Chrome as well.
2012-10-19 01:14:25+08:00SGT "PCAP: Packet capture started" 0 FFFF0002:7D ../http.cpp:335
2012-10-19 01:14:32+08:00SGT "SSL Proxy doesn't allow insecure renegotiation" 0 310000:1 ../ssl_proxy/sslproxy_worker.cpp:2191
2012-10-19 01:14:33+08:00SGT "SSL Proxy doesn't allow insecure renegotiation" 0 310000:1 ../ssl_proxy/sslproxy_worker.cpp:2191
This was being investigated under B#181464 and has been addressed in SGOS 6.5.
Currently, there are no plans to address this in SG 5.x and SG 6.x prior to SG 6.5.
1. For Mozilla Firefox, goto about:config and set security.ssl3.dhe_rsa_camellia_256_sha to False
2. Disabling SSL Intercept for the affected sites is a possible workaround, although not recommended, as it prevents the ProxySG from inspecting HTTPS traffic.