SSL error occurs when users try to access some HTTPS sites

book

Article ID: 168236

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

This is a known issue in SGOS 6.2.x (B#197914) and in SGOS 6.4.x (B#190218).

The issue occurs when the server extension is not recognized by the server, and the server returns a warning message (Unrecognized name). Previously, the appliance would drop the connection per the recommendation of SSL implementation. With the existence of the TLS (renegotiation) the behavior has changed to allow the client to re-negotiate in case of a warning response. 

Example of PCAP file:
 
--- client sent Client Hello
4    2014-01-27 17:55:57.333999    10.169.0.53        12.173.81.44    TLSv1    241        Client Hello
<--- SG sent the same client hello to the OCS
8    2014-01-27 17:55:57.363000    10.169.3.178    12.173.81.44    TLSv1    241        Client Hello
<--- OCS sent Server Hello with Alert(Unrecognized Name) as well as certificate
9    2014-01-27 17:55:57.392999    12.173.81.44    10.169.3.178    TLSv1    1434        Alert (Level: Warning, Description: Unrecognized Name), Server Hello
10    2014-01-27 17:55:57.392999    12.173.81.44    10.169.3.178    TLSv1    150        Certificate
<--- SG acknowledged the server hello & certificate, and sent the Alert to the client.
11    2014-01-27 17:55:57.392999    10.169.3.178    12.173.81.44    TCP    60        59232 > 443 [ACK] Seq=62545189 Ack=3036911236 Win=65164 Len=0
12    2014-01-27 17:55:57.392999    12.173.81.44    10.169.0.53     TLSv1    61        Alert (Level: Warning, Description: Unrecognized Name)
<--- SG then closed both server and client connections.
13    2014-01-27 17:55:57.394000    10.169.3.178    12.173.81.44    TCP    60        59232 > 443 [FIN, ACK] Seq=62545189 Ack=3036911236 Win=65535 Len=0
14    2014-01-27 17:55:57.394000    12.173.81.44    10.169.0.53        TCP    60        443 > 53019 [FIN, ACK] Seq=2078261425 Ack=2858178668 Win=65535 Len=0


 

Resolution

For a ProxySG 510 appliance, Blue Coat recommends upgrading to SGOS 6.4.6.3.

For other appliances, upgrade to SGOS 6.2.16.1 or SGOS 6.5.5.1.