Support Center > Search Results > SecureKnowledge Details
Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled
Symptoms
  • Some HTTPS web sites that use ECDHE cipher suites are not accessible after the user enables ECDHE on the Security Gateway per sk104717 - section "Perfect Forward Secrecy (PFS)".

  • The affected web sites use ECDH curve P-384.

    See Qualys SSL Labs "SSL Server Test":
  • Hosts are not able to download Windows Updates through the Security Gateway with enabled HTTPS Inspection, although the option "Bypass HTTPS inspection of traffic to well known software update services" is enabled:
    To resolve this issue, do the following: In SmartDashboard, go to the "Application & URL Filtering" / "Data Loss Prevention" / "IPS" / "Threat Prevention" tab - expand the "Advanced" - expand the "HTTPS Inspection" - click on "Policy" - check the box at the bottom of this page.

    Example:

    Enabling the HTTPS Inspection Bypass Mechanism resolves the issue (Hosts are able to download Windows Updates).

  • Debug of WSTLSD daemon (per sk105559) on Security Gateway shows that HTTPS site sends TLS handshake failure: ;21Dec2017 13:27:10.175176;[cpu_0];[fw4_1];fwtls_hs_list_handler: called.; ;21Dec2017 13:27:10.175177;[cpu_0];[fw4_1];fwtls_pending_data_handler: called.; ;21Dec2017 13:27:10.175178;[cpu_0];[fw4_1];fwtls_rx_handler: called.; ;21Dec2017 13:27:10.175179;[cpu_0];[fw4_1];fwtls_rx_handler: called. 7 bytes to read; ;21Dec2017 13:27:10.175180;[cpu_0];[fw4_1];fwtls_rx_handler: TLS header:; ;21Dec2017 13:27:10.175185;[cpu_0];[fw4_1]; 0: <15 03 03 00 02> .....; ;21Dec2017 13:27:10.175186;[cpu_0];[fw4_1];; ;21Dec2017 13:27:10.175188;[cpu_0];[fw4_1];fwtls_rx_handler: handling CPTLS_alert record, length 2; ;21Dec2017 13:27:10.175189;[cpu_0];[fw4_1];fwtls_rx_handler: data before decryption:; ;21Dec2017 13:27:10.175192;[cpu_0];[fw4_1]; 0: <02 28> .(; ;21Dec2017 13:27:10.175192;[cpu_0];[fw4_1];; ;21Dec2017 13:27:10.175194;[cpu_0];[fw4_1];fwtls_rx_handler: fatal alert, desc = CPTLS_handshake_failure; ;21Dec2017 13:27:10.175195;[cpu_0];[fw4_1];cptls_send_trap: sending msg to daemon:; ;21Dec2017 13:27:10.175196;[cpu_0];[fw4_1];conn id : 0x000000000000008e; ;21Dec2017 13:27:10.175197;[cpu_0];[fw4_1];msg : 1 HS_EVENT_HANDLER; ;21Dec2017 13:27:10.175197;[cpu_0];[fw4_1];event type: CPTLS_HS_ALERT; ;21Dec2017 13:27:10.175198;[cpu_0];[fw4_1];buflen : 2; ;21Dec2017 13:27:10.175201;[cpu_0];[fw4_1];fwtls_rx_handler: fatal alert, desc = CPTLS_handshake_failure;
Cause

ECDHE cipher suite and other ciphers use Elliptic Curve Cryptography (ECC), which is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.

By default, HTTPS Inspection in R77.30 supports up to curve P256.


Solution
Note: To view this solution you need to Sign In .