Cloud SWG (formerly WSS) compatibility with SSLV3
search cancel

Cloud SWG (formerly WSS) compatibility with SSLV3


Article ID: 239687


Updated On:


Cloud Secure Web Gateway - Cloud SWG


SSLv3 shows enabled on Cloud Secure Web Gateway (Cloud SWG) while testing vulnerabilities via third-party tool called ssllabs. SSLv3 is disabled when testing directly without Cloud SWG.




Cloud SWG


Cloud SWG, by default, does not use SSLv3. It only downgrades it when the website cannot handle TLS and ask Cloud SWG to make connection over SSLv3. There are websites which might still use SSLv3 and disabling SSLv3 globally can cause outage accessing those websites for few other Cloud SWG customers.  


Support engineer can help users by adding a policy to disable SSLv3 for specific Cloud SWG tenants. The user using that tenant will not be able make any connection over SSLv3 after that. However, it can cause service disruption for any websites using SSLv3. Admin must analyze the impact prior to change, if any. They can login to the portal and go to Account Configuration (the gears at the bottom) > Log Export >  Log Download > Fields included with Download (View/Edit) and add the following fields


And then download some logs for a few days and scan that column and see if anything shows up with SSL3 or SSLv3 in any of the columns. If they can't find anything in those columns, then it is PROBABLY OK to disable the SSLv3 policy.