No access to specific HTTPS sites that use ECDHE ciphers when HTTPS Inspection is enabled

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk110883
Technical Level
Product	HTTPS Inspection
Version	R77.30 (EOL), R80.10 (EOL), R80.20 (EOL)
OS	Gaia
Platform / Model	All
Date Created	07-Apr-2016
Last Modified	04-Aug-2022

Symptoms

There is no access to some HTTPS websites that use ECDHE cipher suites after you enable ECDHE on the Security Gateway based on the instructions in sk104717 - section "Perfect Forward Secrecy (PFS)".
The affected websites use ECDH curve P-384.

See Qualys SSL Labs "SSL Server Test":
Hosts cannot download Windows Updates through the Security Gateway with enabled HTTPS Inspection, although the option "Bypass HTTPS inspection of traffic to well known software update services" is enabled:

To resolve this issue, do these steps:

In SmartDashboard, go to the "Application & URL Filtering" / "Data Loss Prevention" / "IPS" / "Threat Prevention" tab - expand "Advanced" - expand "HTTPS Inspection" - click on "Policy" - check the box at the bottom of this page.

Example:

Enabling the HTTPS Inspection Bypass Mechanism resolves the issue (Hosts can download Windows Updates).

Debug of the WSTLSD daemon (as per sk105559) on the Security Gateway shows that the HTTPS site sends a TLS handshake failure

;21Dec2017 13:27:10.175176;[cpu_0];[fw4_1];fwtls_hs_list_handler: called.;
;21Dec2017 13:27:10.175177;[cpu_0];[fw4_1];fwtls_pending_data_handler: called.;
;21Dec2017 13:27:10.175178;[cpu_0];[fw4_1];fwtls_rx_handler: called.;
;21Dec2017 13:27:10.175179;[cpu_0];[fw4_1];fwtls_rx_handler: called. 7 bytes to read;
;21Dec2017 13:27:10.175180;[cpu_0];[fw4_1];fwtls_rx_handler: TLS header:;
;21Dec2017 13:27:10.175185;[cpu_0];[fw4_1];     0: <15 03 03 00 02>                                     .....;
;21Dec2017 13:27:10.175186;[cpu_0];[fw4_1];;
;21Dec2017 13:27:10.175188;[cpu_0];[fw4_1];fwtls_rx_handler: handling CPTLS_alert record, length 2;
;21Dec2017 13:27:10.175189;[cpu_0];[fw4_1];fwtls_rx_handler: data before decryption:;
;21Dec2017 13:27:10.175192;[cpu_0];[fw4_1];     0: <02 28>                                              .(;
;21Dec2017 13:27:10.175192;[cpu_0];[fw4_1];;
;21Dec2017 13:27:10.175194;[cpu_0];[fw4_1];fwtls_rx_handler: fatal alert, desc = CPTLS_handshake_failure;
;21Dec2017 13:27:10.175195;[cpu_0];[fw4_1];cptls_send_trap: sending msg to daemon:;
;21Dec2017 13:27:10.175196;[cpu_0];[fw4_1];conn id   : 0x000000000000008e;
;21Dec2017 13:27:10.175197;[cpu_0];[fw4_1];msg       : 1 HS_EVENT_HANDLER;
;21Dec2017 13:27:10.175197;[cpu_0];[fw4_1];event type: CPTLS_HS_ALERT;
;21Dec2017 13:27:10.175198;[cpu_0];[fw4_1];buflen    : 2;
;21Dec2017 13:27:10.175201;[cpu_0];[fw4_1];fwtls_rx_handler: fatal alert, desc = CPTLS_handshake_failure;

Cause

The ECDHE cipher suite and other ciphers use Elliptic Curve Cryptography (ECC), an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.

By default, HTTPS Inspection in R77.30 supports up to curve P256.

Solution

Note: To view this solution you need to Sign In .