When functioning as a reverse proxy, how does the ProxySG appliance respond if a server does not respond with a Server Hello?
Article ID: 168335
ProxySG Software - SGOS
User fail to connect to the backend server through the reverse proxy.
In reverse proxy configurations, there is an option to set the SSL or TLS version under the SSL Client options in order to negotiate with the backend server. However, there is an issue where even though the SSL Client has all TLS versions enabled (v1.0, v1.1 and v1.2), the proxy does not try to negotiate using another version when the initial version used during the initial connection fails.
The ProxySG appliance has all the TLS version under the SSL Client enabled and the proxy. When a request is initiated by a user outside the protected network, the ProxySG appliance sends a Client Hello to the server. The server responds with an error or a failure message that causes the connection to be closed. There is no Server Hello. In this case, the proxy does not try to negotiate other TLS versions.
This is expected behavior or by design where in reverse proxy setup, the proxy will not try other protocol version or negotiate other protocol if the initial attempt failed if the server responded with an error or failure messages instead of a Server Hello.
Typically, a Server Hello will "inform" the proxy of which version of SSL/TLS to use. For example, if the proxy sends TLSv1.2 and the server does not support it, the server should send a Server Hello back to the proxy indicating that it wants to use TLSv1.0 and not TLSv1.2.