search cancel

WSS compatibility with SSLV3

book

Article ID: 239687

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

SSLv3 shows enabled on WSS while testing vulnerabilities via third-party tool called ssllabs. SSLv3 is disabled when testing directly without WSS.

 

 

Environment

Web Security Service

Cause

WSS, by default, does not use SSLv3. It only downgrades it when the website cannot handle TLS and ask WSS to make connection over SSLv3. There are websites which might still use SSLv3 and disabling SSLv3 globally can cause outage accessing those websites for few other WSS customers.  

Resolution

Support engineer can help users by adding a policy to disable SSLv3 for specific WSS tenants. The user using that tenant will not be able make any connection over SSLv3 after that. However, it can cause service disruption for any websites using SSLv3. Admin must analyze the impact prior to change, if any. They can login to the portal and go to Account Configuration (the gears at the bottom) > Log Export >  Log Download > Fields included with Download (View/Edit) and add the following fields

x-cs-connection-negotiated-ssl-version
x-rs-connection-negotiated-ssl-version

And then download some logs for a few days and scan that column and see if anything shows up with SSL3 or SSLv3 in any of the columns. If they can't find anything in those columns, then it is PROBABLY OK to disable the SSLv3 policy. 

 

Attachments