SSL Decode Error with some sites when using SGOS 6.7.2.X and SGOS prior to 6.6.5.14

book

Article ID: 170107

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The purpose of this article is to expose an issue that SGOS versions since 6.7.2.X are experiencing when trying to access some specific HTTPS sites.

The error can be found in packet captures as follows: 

  • Alert (Level: Fatal, Description: Decode Error) 

This error is experienced in the latest Mozilla Firefox and Google Chrome versions, but not with Internet Explorer.

In addition, the same error is also visible from SGOS prior to 6.6.5.14 using TLSv1.2.

Cause

The SSL handshake breaks after the proxy receives a Server Hello message from the destination server. This occurs because the server is trying to use an Elliptic Curve that is currently unsupported by the ProxySG.

The Elliptic Curve in question can be found within a packet capture under the segment titled "Extension: elliptic_curves".

Example:

  • Elliptic curve: ecdh_x25519 (0x001d)

The issue with SGOS prior to 6.6.5.14 is caused due to the signature algorithm not supported for TLSv1.2, which has been patched starting SGOS 6.6.5.14.

 

Resolution

  1. In Explicit environments, a possible workaround is disabling Protocol Detection for the specific sites.
  2. In Transparent environments, the sites should be added to the Static Bypass List. 
  3. Downgrade your appliance to a release of SGOS that supports the Elliptic Curve described. 
    • The latest SGOS version 6.5.X and 6.6.X support this extension
    • SGOS 6.7.1.X versions support this extension