Not able to connect to HTTPS web sites that use ECDHE cipher suites after upgrading to R77.30

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk106296
Technical Level
Product	HTTPS Inspection
Version	R77.30
Platform / Model	All
Date Created	02-Jun-2015
Last Modified	28-Nov-2016

Symptoms

Not able to connect to HTTPS web sites that use ECDHE cipher suites after upgrading to R77.30.
Traffic capture on Security Gateway shows that SSL handshake fails.

Debug of WSTLSD daemon (per sk105559) shows that SSL handshake fails because ECDHE cipher was not found:

cptls_hs_event_handler: event CPTLS_HS_ALERT, buf_len = 2
cptls_hs_message_handler: called
CLN_handle_alert: called.
cptls_hs_record_alert: called. alert level: CPTLS_fatal description: CPTLS_handshake_failure
cptls_hs_record_alert: SNI_name: www.MyCompany.Example
cptls_Alert_Cache::add_hostname: host_name: www.MyCompany.Example 
... ... ...
cptls_sni_in_alert_cache: SNI_name: www.MyCompany.Example
cptls_Alert_Cache::find_hostname: found host_name www.MyCompany.Example in cache.
cptls_sni_in_alert_cache: is_exist for sni www.MyCompany.Example: 1
cptls_params_imp::Get_Filtered_CipherSuites: start. m_propose_ecdhe: 2, sni_in_cache: 1
cptls_params_imp::CipherSuites_without_ECDHE: start
cptls_ecdhe_cipher_exists: ecdhe cipher not found.

cptls_sni_in_alert_cache: SNI_name: www.example.com cptls_Alert_Cache::find_hostname: entered cptls_Alert_Cache::find_hostname: host_name www.example.com not in cache. cptls_sni_in_alert_cache: is_exist for sni www.example.com: 0 cptls_params_imp::Get_Filtered_CipherSuites: start. m_propose_ecdhe: 0, sni_in_cache: 0 cptls_params_imp::CipherSuites_without_ECDHE: start cptls_ecdhe_cipher_exists: ecdhe cipher not found.

Cause

Security Gateway does not propose the ECDHE cipher suites.

Solution

Note: To view this solution you need to Sign In .