ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Many sites are getting connect_method_denied on standard port 443

book

Article ID: 225788

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

You are seeing a connect_method_denied verdict in the WSS reports for connections to tcp://ip-or-domain on port 443.You are not sure why the error is being triggered as it is connecting on a standard port.

 

Cause

In the PCAP taken we can see that after the HTTP 200 connection established, you immediately see a FIN from the client.

WSS received the initial CONNECT request and passed back a 200 OK. The next packet should be a Client-Hello from client side to initiate the SSL handshake. If for any reason, if this packet is not reaching us, this will be considered as a tunneling attempt of a non-SSL protocol and will hit the "Connect_Method_Denied" exception.

WSS Proxy: 192.168.1.83 / Client: 10.230.0.5 

 

Environment

Release :

Component :

Resolution

The proxy is operating normally. From looking at few customer account we generally see this traffic is generated by browser user agent and normally causes virtually no impact as it's either temporary or application does successfully establish SSL on next connections. 

To prove that this is not caused by the client-side applications, we would need to see PCAPs from the gateway showing that Client Hello is being sent.

Additional Information

This exception can occur for other reasons as well which are provided in the article below.

Verdict connect_method_denied in Web Security Service report

Denied access to the requested port with Web Security Service

Attachments