Behavior change between SGOS 6.2 and 6.5 for SSL cipher selection

book

Article ID: 168299

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

How the ProxySG handles SSL cipher selection for server and client connections depends on the version of SGOS your appliance is running. As of SGOS 6.5.x, the ProxySG appliance supports DHE ciphers for both sever and client connections. Versions of SGOS that are earlier than SGOS 6.5.x do not support DHE ciphers for client connections.

For example, when accessing a website that supports a newer set of ciphers (such as ECDHE) with Firefox 33 or later:

  • An appliance running SGOS 6.2.16.2 uses DHE ciphers for server connections and RSA for client connections.
Client(UA is FireFox------------------------------------------SG---------------------------------------------------------------OCS
<---TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)--> <---TLS_DHE_RSA_WITH_AES_128_CBC_SHA--->
 
  • An appliance running SGOS 6.5.5.7 uses DHE ciphers for both connections.
Client(UA is FireFox------------------------------------------SG---------------------------------------------------------------OCS
<---TLS_DHE_RSA_WITH_AES_128_CBC_SHA---> <---TLS_DHE_RSA_WITH_AES_128_CBC_SHA--->