Support Center > Search Results > SecureKnowledge Details
No access to specific HTTPS sites that use ECDHE ciphers when HTTPS Inspection is enabled Technical Level
  • There is no access to some HTTPS websites that use ECDHE cipher suites after you enable ECDHE on the Security Gateway based on the instructions in sk104717 - section "Perfect Forward Secrecy (PFS)".

  • The affected websites use ECDH curve P-384.

    See Qualys SSL Labs "SSL Server Test":

  • Hosts cannot download Windows Updates through the Security Gateway with enabled HTTPS Inspection, although the option "Bypass HTTPS inspection of traffic to well known software update services" is enabled:

    To resolve this issue, do these steps:

    In SmartDashboard, go to the "Application & URL Filtering" / "Data Loss Prevention" / "IPS" / "Threat Prevention" tab - expand "Advanced" - expand "HTTPS Inspection" - click on "Policy" - check the box at the bottom of this page.


    Enabling the HTTPS Inspection Bypass Mechanism resolves the issue (Hosts can download Windows Updates).

  • Debug of the WSTLSD daemon (as per sk105559) on the Security Gateway shows that the HTTPS site sends a TLS handshake failure

    ;21Dec2017 13:27:10.175176;[cpu_0];[fw4_1];fwtls_hs_list_handler: called.;
    ;21Dec2017 13:27:10.175177;[cpu_0];[fw4_1];fwtls_pending_data_handler: called.;
    ;21Dec2017 13:27:10.175178;[cpu_0];[fw4_1];fwtls_rx_handler: called.;
    ;21Dec2017 13:27:10.175179;[cpu_0];[fw4_1];fwtls_rx_handler: called. 7 bytes to read;
    ;21Dec2017 13:27:10.175180;[cpu_0];[fw4_1];fwtls_rx_handler: TLS header:;
    ;21Dec2017 13:27:10.175185;[cpu_0];[fw4_1];     0: <15 03 03 00 02>                                     .....;
    ;21Dec2017 13:27:10.175186;[cpu_0];[fw4_1];;
    ;21Dec2017 13:27:10.175188;[cpu_0];[fw4_1];fwtls_rx_handler: handling CPTLS_alert record, length 2;
    ;21Dec2017 13:27:10.175189;[cpu_0];[fw4_1];fwtls_rx_handler: data before decryption:;
    ;21Dec2017 13:27:10.175192;[cpu_0];[fw4_1];     0: <02 28>                                              .(;
    ;21Dec2017 13:27:10.175192;[cpu_0];[fw4_1];;
    ;21Dec2017 13:27:10.175194;[cpu_0];[fw4_1];fwtls_rx_handler: fatal alert, desc = CPTLS_handshake_failure;
    ;21Dec2017 13:27:10.175195;[cpu_0];[fw4_1];cptls_send_trap: sending msg to daemon:;
    ;21Dec2017 13:27:10.175196;[cpu_0];[fw4_1];conn id   : 0x000000000000008e;
    ;21Dec2017 13:27:10.175197;[cpu_0];[fw4_1];msg       : 1 HS_EVENT_HANDLER;
    ;21Dec2017 13:27:10.175197;[cpu_0];[fw4_1];event type: CPTLS_HS_ALERT;
    ;21Dec2017 13:27:10.175198;[cpu_0];[fw4_1];buflen    : 2;
    ;21Dec2017 13:27:10.175201;[cpu_0];[fw4_1];fwtls_rx_handler: fatal alert, desc = CPTLS_handshake_failure;
The ECDHE cipher suite and other ciphers use Elliptic Curve Cryptography (ECC), an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.

By default, HTTPS Inspection in R77.30 supports up to curve P256.

Note: To view this solution you need to Sign In .