Unable to load SSL YouTube Video on ProxySG Using Chrome 50 or Higher

book

Article ID: 169077

calendar_today

Updated On:

Products

Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

Symantec ProxySG

YouTube does requires video to be loaded from domain googlevideo.com and as mentioned in the following alert, (https://support.symantec.com/en_US/article.ALERT2311.html) the actual video from the domain googlevideo.com fails to load when SSL interception is enabled.

Cause

Google uses Elliptic Curve (EC) X25519 for the ECDHE cipher, which is used in Google Chrome version 50. As a result, since May 10 2016, SSL connections to Google services that use this type of certificate fail when Chrome doesn’t have the ALPN extension.

Resolution

A fix for this issue is anticipated in SGOS version 6.6.4.1. For SGOS version 6.5 branches, a fixed is anticipated in SGOS version 6.5.9.8.

Workaround

To work around this issue, the SSL Proxy service must be disabled for the googlevideo.com domain. 

For explicit deployments add the following local policy:

<proxy>
url.domain=//googlevideo.com detect_protocol(no)
url.domain=//ytimg.com detect_protocol(no)
url.domain=//youtube.com detect_protocol(no)

 
For transparent deployments, the server ip addresses will have to be added to the static bypass list or create TCP-Tunnel type services for these IP addresses specifically. As IP addresses vary by region, verify the IP addresses that your local DNS server resolves googlevideo.com to and add them to the static bypass list or tunnel policy.