Support Center > Search Results > SecureKnowledge Details
Some HTTPS sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE cipher is used
Symptoms
  • Some HTTPS sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE cipher is used.

  • Debug of WSTLSD daemon (per sk105559) on Security Gateway shows that HTTPS site sends TLS handshake failure:

    cptls_handle_msg: called. msg=HS_EVENT_HANDLER
    cptls_handle_msg: kernel_instance: 3
    cptls_handle_msg: conn_id: 0x...
    cptls_ChannelTable::handleMsg: kernel instance: ...
    cptls_ChannelTable::handleMsg: channel conn_id: 0x...
    cptls_ActiveProxy::event_handler: called.
    cptls_ProxyChannel::saveClientMsg: conn_id: 0x...
    cptls_ProxyChannel::isSavingClientMsg: checking conn_id: 0x...
    cptls_ProxyChannel::isSavingClientMsg: server side. not saving
    cptls_ProxyChannel::saveClientMsg: nothing to do.
    cptls_ProxyChannel::isConnSuspended: no.
    cptls_ProxyChannel::event_handler: called.
    cptls_ProxyChannel::getHS: conn_id matches server side: 0x...
    cptls_hs_event_handler: called
    cptls_hs_event_handler: called from kernel instance: ...
    cptls_hs_event_handler: conn_id: 0x...
    cptls_hs_event_handler: event CPTLS_HS_ALERT, buf_len = ...
    cptls_hs_print_alert: alert level: CPTLS_fatal, description: CPTLS_handshake_failure(40).
    cptls_hs_message_handler: called
    CLN_handle_alert: called.
    cptls_hs_record_alert: called. alert level: CPTLS_fatal description: CPTLS_handshake_failure
Cause

The HTTPS site, to which the connection fails, requires the following in the TLS communication:

  • The TLS "ec_point_formats" extension (Supported Point Formats Extension - RFC 4492) to be sent in the "ClientHello" together with TLS "elliptic_curves" extension (Supported Elliptic Curves Extension - RFC 4492).

  • The TLS Renegotiation Indication information to be sent as TLS Renegotiation Indication Extension (RFC 5746) and not as special value in ciphers list.


Solution
Note: To view this solution you need to Sign In .