HTTPS requests may fail when the following is true:

1. Request is from Firefox or Chrome browsers
2. ProxySG or ASG is running a 6.7.1.x, 6.7.2.1 or 6.7.2.2 release
3. ProxySG or ASG has SSL proxy enabled through an SSL proxy service or protocol detection being enabled.

Some web servers have altered their signature algorithm preferences to include algorithms SGOS does not support.  When the client includes an algorithm in its supported list and the server selects one not supported by SGOS the ProxySG or ASG will close the connection in the middle of the SSL handshake with a ‘Decode error’ alert that can be seen in a packet capture (pcap).  The result is a connection failed error in the client’s browser.

This has been seen mostly with Akamai’s servers which host various web sites.

The fix for this issue is available in 6.7.2.3 and newer 6.7 releases.

How to work-around this issue until an upgrade to a release with the fix can be done:

• For transparent deployments the HTTPS service (or any SSL Proxy based service) will need to be changed to TCP-Tunnel type with protocol detection disabled.
• For explicit deployments protocol detection must be disabled on the explicit HTTP service.
• Policy rules enabling protocol detection should be disabled.

Note: The above work around disables SSL interception and decryption.  This will impact visibility into HTTPS requests for authentication, ICAP processing, etc.