HTTPS requests may fail when using Firefox or Chrome

book

Article ID: 170467

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG SG-300 SG-600 SG-510 SG-810 SG-9000 SG-900 SG-S500 SG-S400 Secure Web Gateway Virtual Appliance SG-S200 ProxySG Software - SGOS SWG VA-100

Issue/Introduction

HTTPS requests may fail when the following is true:

  1. Request is from Firefox or Chrome browsers
  2. ProxySG or ASG is running a 6.7.1.x, 6.7.2.1 or 6.7.2.2 release
  3. ProxySG or ASG has SSL proxy enabled through an SSL proxy service or protocol detection being enabled.

 

Cause

Some web servers have altered their signature algorithm preferences to include algorithms SGOS does not support.  When the client includes an algorithm in its supported list and the server selects one not supported by SGOS the ProxySG or ASG will close the connection in the middle of the SSL handshake with a ‘Decode error’ alert that can be seen in a packet capture (pcap).  The result is a connection failed error in the client’s browser.

This has been seen mostly with Akamai’s servers which host various web sites.

Resolution

The fix for this issue is available in 6.7.2.3 and newer 6.7 releases.

How to work-around this issue until an upgrade to a release with the fix can be done:

  • For transparent deployments the HTTPS service (or any SSL Proxy based service) will need to be changed to TCP-Tunnel type with protocol detection disabled.
  • For explicit deployments protocol detection must be disabled on the explicit HTTP service.
  • Policy rules enabling protocol detection should be disabled.

Note: The above work around disables SSL interception and decryption.  This will impact visibility into HTTPS requests for authentication, ICAP processing, etc.