ERR_SSL_Version_OR_Cipper_Mistach error
search cancel

ERR_SSL_Version_OR_Cipper_Mistach error

book

Article ID: 253723

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The following URl https://www.rocketmiles.com/ is not accessible via proxy . It's working fine when bypassed.

See the error received, below, when being intercepted via the Proxy.

www.rocketmiles.com use an unsupported protocol

ERR_SSL_Version_OR_Cipper_Mistach

 

 

Environment

Release : 6.7.5.14

Resolution

Having investigated the uploaded log data, we see the below.

From the PCAP, we see that the transaction repeatedly failed because of the FATAL TLS error, triggered by the attempted TLS handshake by the destination host (104.17.163.79), using TLS 1.0. The Proxy sent the Client Hello using TLS 1.2, which is recommended. Please see the snippet below, for further details.

This is the reason for the reported "ERR_SSL_Version_OR_Cipper_Mistach" error. The issue is caused by the destination host, https://www.rocketmiles.com/ (104.17.163.79), not attempting the TLS handshake with the same TLS protocol version, leading the the mismatch reported. The ciphers from TLS 1.0 and TLS 1.2 are not the same.

Note

ProxySg Forward Proxy service is designed to follow the same SSL parameters for upstream and downstream. It can’t have 2 separate sessions as per the requirement. It can’t really upscale/downscale the SSL.

It's strongly recommended to not enable TLS 1.0 on the ProxySG, for strong security reasons. Please refer to the Tech. Article with the URL below.

https://knowledge.broadcom.com/external/article/169097/disable-tlsv1-or-sslv3-on-proxysg-applia.html

Workaround

Where the reported URL cannot make TLS calls using TLS 1.2 or later, we recommend to not intercept this request (only bypass). You may utilize the CPL scripts below, for the recommended bypass.

<SSL-Intercept>
url.domain="www.rocketmiles.com" ssl.forward_proxy(no)  

Additionally, do not detect protocol, for this URL. To do this as an exception rule you will need to add a CPL layer, or modify the Local Policy on your ProxySG with a rule based on the source or destination: For example:

By URL:
<proxy>
url.domain=rocketmiles.com detect_protocol (none)

By destination IP Address
<proxy>
url.address=104.17.163.79 detect_protocol (none)

By User Agent(Not all applications report a User-Agent so this may not be an option for all scenarios):

<proxy>
User-Agent="application-sepcific-agent-name" detect_protocol (none)

Ref. docs.:

https://knowledge.broadcom.com/external/article/166365/disable-ssl-interception-for-single-url.html

https://knowledge.broadcom.com/external/article/167521/why-doesnt-a-detect_protocolno-rule-work.html

Additional doc.: https://knowledge.broadcom.com/external/article/170130/cipher-suites-shipped-with-the-proxysg-a.html

Powered by Wolken Software