WebSocket connections fail with SSL Visibility (SSLV) offloading
search cancel

WebSocket connections fail with SSL Visibility (SSLV) offloading


Article ID: 251195


Updated On:


ProxySG Software - SGOS SSL Visibility Appliance Software


WebSocket connections fail when proxied in an SSLV offloading environment.


This issue can be identified by the following,

  • the WebSocket HTTP upgrade/downgrade (101 switching protocols) is successful
  • a failure occurs once switching to a WebSocket tunnel
  • the browser developer tools displays an error such as One or more reserved bits are on: reserved1 =  0, reserved2 = 0, reserved3 = 1 under the web socket connection's Messages tab


WebSocket connections must be decrypted on both the client and server-side connections or cut through on both sides in an SSLV offloading configuration.

SGOS does not support mixing plain/encrypted connections once the HTTP proxy hands the transaction off for WebSocket tunneling.


On the SSLV configuration, ensure both the client side (client machine to ProxySG) and server side (ProxySG to the Internet) are handled the same, either both SSLV offloaded or both cut through.