WebSocket connections fail with SSL Visibility (SSLV) offloading
search cancel

WebSocket connections fail with SSL Visibility (SSLV) offloading

book

Article ID: 251195

calendar_today

Updated On:

Products

ProxySG Software - SGOS SSL Visibility Appliance Software

Issue/Introduction

WebSocket connections fail when proxied in an SSLV offloading environment.

 

This issue can be identified by the following,

  • the WebSocket HTTP upgrade/downgrade (101 switching protocols) is successful
  • a failure occurs once switching to a WebSocket tunnel
  • the browser developer tools displays an error such as One or more reserved bits are on: reserved1 =  0, reserved2 = 0, reserved3 = 1 under the web socket connection's Messages tab

Cause

WebSocket connections must be decrypted on both the client and server-side connections or cut through on both sides in an SSLV offloading configuration.

SGOS does not support mixing plain/encrypted connections once the HTTP proxy hands the transaction off for WebSocket tunneling.

Resolution

On the SSLV configuration, ensure both the client side (client machine to ProxySG) and server side (ProxySG to the Internet) are handled the same, either both SSLV offloaded or both cut through.