Unable to access certain HTTPS sites with certain browsers when force-secure-renegotiation is enabled

book

Article ID: 167040

calendar_today

Updated On:

Products

Mobility Threat Protection ProxySG Software - SGOS

Issue/Introduction

Unable to access certain HTTPS sites with certain browsers when force-secure-renegotiation is enabled

Steps to reproduce :
1. Enable force-secure-renegotiation
SG200#config term
SG200#(config)ssl
SG200#(config ssl)force-secure-renegotiation enable

2. Intercept HTTPS traffic on SG.

3. Access https://upload.bluecoat.com/ or https://login.yahoo.co.jp/ or https://www.verisign.com/ through SG with Mozilla Firefox 16.0.1 and you will receive a "Problem loading page" or "The connection was interrupted" error.

4. This is reportedly to be affecting other browsers such as Internet Explorer and Google Chrome as well.
 

==========
events.log
==========
2012-10-19 01:14:25+08:00SGT  "PCAP: Packet capture started"  0 FFFF0002:7D   ../http.cpp:335
.....
2012-10-19 01:14:32+08:00SGT  "SSL Proxy doesn't allow insecure renegotiation"  0 310000:1   ../ssl_proxy/sslproxy_worker.cpp:2191
2012-10-19 01:14:33+08:00SGT  "SSL Proxy doesn't allow insecure renegotiation"  0 310000:1   ../ssl_proxy/sslproxy_worker.cpp:2191

Resolution

This was being investigated under B#181464 and has been addressed in SGOS 6.5.

Currently, there are no plans to address this in SG 5.x and SG 6.x prior to SG 6.5.

 

Workaround

1. For Mozilla Firefox, goto about:config and set security.ssl3.dhe_rsa_camellia_256_sha to False

2. Disabling SSL Intercept for the affected sites is a possible workaround, although not recommended, as it prevents the ProxySG from inspecting HTTPS traffic.