When the ProxySG or ASG appliance is proxying traffic, end users cannot access Facebook/Instagram mobile applications

Users cannot access these applications because the SSL Proxy ciphers do not overlap with the incoming client's cipher list. This affects ProxySG/ASG appliances running SGOS 6.5.x, 6.6.x, or 6.7.x.

In cases where the client hello has cipher suites we can support, but upstream an unsupported cipher is chosen, we can renegotiate taking out the unsupported cipher only in a second request. In this case, the upstream would be downgraded to make the connection possible. However, Facebook/Instagram mobile applications are enforced to only use TLS 1.3, which only has three cipher suites. Currently, the ProxySG/ASG appliances will only support TLS 1.3 if it will downgrade the connection and process as TLS 1.2. The application sends only three ciphers, which does not allow the proxy to downgrade from TLS 1.3 to TLS 1.2. 

Example Log Output

1787.163 SSLW 21BFD381D0 (6380FDB0): shutdown: SSL Worker previous state 2, error code 15, line 540
1787.163 SSLW 21BFD381D0 (6380FDB0): Unknown client SSL ciphers(error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher) for ssl://31.13.72.8:443/
1787.161 SSLW 212704D1D0 (4C40FB21): SSL Intercept URL: "ssl://216.58.211.10:443/"
1787.159 SSLW 2111CFE1D0 (3E40F92F): No SSL intercept decision for ssl://mvm.snapchat.com:443/
1787.159 SSLW 2111CFE1D0 (3E40F92F): SSL Proxy URL: "ssl://mvm.snapchat.com:443/"
1787.159 SSLW 2111CFE1D0 (3E40F92F): Intercept property set to no for *.snapchat.com
1787.158 SSLW 1E057151D0 (4C00FB21): shutdown: SSL Worker previous state 2, error code 15, line 540
1787.158 SSLW 1E057151D0 (4C00FB21): Unknown client SSL ciphers(error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher) for ssl://31.13.72.8:443/

In this example log file, the following three incoming cipher lists in the client hello from the Android mobile devices are not present in the SSL Proxy's cipher list.

Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)

 
To compare the list of cipher suites the mobile devices use to the suites the ProxySG/ASG appliances are shipped with, see Cipher Suites Shipped With the ProxySG and ASG Appliances and compare the IANA name or the hex value of the mobile device suites.

To workaround this issue for tranparent proxies:

1. In the Management Console, click Configuration > Proxy Settings > General.
2. Enable TCP tunnel requests when a protocol error is detected.
3. Click Apply.

To workaround this issue for explicit proxies:

1. In the Management Console, click Configuration > Services > Proxy Services.
2. Select the service that handles the Facebook and Instagram mobile applications and click Edit Service.
3. Deselect Detect Protocol.
4. Click OK.
5. Click Apply.

The applications work in Chrome as the SSL Proxy's cipher suite overlaps with Chrome's client hello cipher suite.

Cipher Suites (17 suites)

Cipher Suite: Reserved (GREASE) (0x4a4a)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)