topic Do we have any more in Web Security

HTTPS site fails to load

ashaw216 — Wed, 12 Aug 2015 17:28:15 GMT

There are several HTTPS sites which, when we try to access them, give varying errors (Firefox "Secure Connection Failed", IE "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting..." even though these are turned on, and Chrome "The webpage is not available ERR_CONNECTION_CLOSED").

Within the proxylog on the WSA170 I see these lines:

Warning: HTTPS : - : Unknown algorithm for public key in X509 certificate

When I run an SSL test against the site it says it supports TLS 1.0 - 1.2, but not SSL. I'm wondering why we're not able to connect.

There are a couple of things

Ken Stieers — Wed, 12 Aug 2015 17:43:30 GMT

There are a couple of things that could be going on:

1. The current WSA versions don't support TLS 1.1 or 1.2. TLS1.1/1.2 support is coming SOON.

2. there's a bug related to how the WSA tries to negotiate this, it will show up in the access logs as 502 errors for the site in question. The fix for this is coming soon.

I ended up creating a custom category, setting it to "Pass-through" in the Decryption Access Policies"

Do we have any more

ashaw216 — Wed, 30 Sep 2015 13:39:48 GMT

Do we have any more indications when "SOON" will be? More and more sites are moving to TLS 1.1 / 1.2 and becoming inaccessible unless we bypass them (which opens us up to potential malware infection if the site becomes compromised.)

I'm honestly at a total loss how Cisco still doesn't support these protocols, which have been in use for YEARS. TLS 1.1 in 2006 and TLS 1.2 in 2008 !!

I was in the beta, it exited

Ken Stieers — Wed, 30 Sep 2015 14:04:00 GMT

I was in the beta, it exited a few weeks ago...I expect that FCS is imminent but don't have dates.

And yes Product Management knows they dropped the ball big time on this one...

Looking forward to the latest

Paul Cardelli — Wed, 30 Sep 2015 14:20:48 GMT

Looking forward to the latest update. We are having a lot more issues with this lately.

Good Morning Thanks for

Atazazuddin Shaikh — Wed, 30 Sep 2015 15:00:19 GMT

Good Morning

Thanks for reaching out, Support for TLS 1.1 / 1.2 is available with the version 9.0.0-485 build (currently is limited deployment) provisioned based. Please create a TAC case with the serial number of the Appliance needed to have this version provisioned.

Regards,

Zack

I currently have a TAC case

blroberts2 — Fri, 02 Oct 2015 01:44:01 GMT

I currently have a TAC case open for our S680s. Should the engineer be able to provision this version for us? Having several incredibly frustrating issues including this.

Good Morning That is correct

Atazazuddin Shaikh — Fri, 02 Oct 2015 12:56:37 GMT

Good Morning

That is correct, Please let your TAC engineer know and he/she will be able to have it provisioned.

Regards,

Zack

Our account manager has

ashaw216 — Fri, 02 Oct 2015 13:07:53 GMT

Our account manager has mentioned that this update may require a memory upgrade of the appliance (!) -- what are the requirements for it?

Their are some memory

Atazazuddin Shaikh — Fri, 02 Oct 2015 18:18:31 GMT

Their are some memory requirement for S370 (MUST be 8 Gig RAM), Please have TAC engineer do the research for you and address all the concerns / questions you may have.

Thanks

Zack

Hi

francisco del cura ferreira — Tue, 23 Feb 2016 12:10:57 GMT

I'd like to say we got 9.0.0-485 (S380) and our users can't access to https://www.ingdirect.es. In the browser we get ERR_CONNECTION_CLOSED. I downloaded pcap from our firewall and can see WSA sends to the remote server this:

TLSv1.2 Record Alert (Level: Fatal, Description: Unsupported Extension)

After it WSA sends a RST to ingdirect server.

I thought this problem was fixed in 9.0.0-485.

Regards

The site https://www

Erik Dahle — Wed, 24 Feb 2016 12:37:21 GMT

The site https://www.ingdirect.es loads fine for me, running 9.0.1-162.

Hi Erik

francisco del cura ferreira — Wed, 24 Feb 2016 12:41:11 GMT

Hi Erik

I read in another thread 9.0.0-485 didn't fix the TLS v1.2 issue. We have to schedule an upgrade to 9.0.1-162, I'm sure the issue will be fixed after upgrading.

Thanks for answering.

Problem solved: we switched

ashaw216 — Wed, 13 Apr 2016 11:23:06 GMT

Problem solved: we switched to Websense (now Forcepoint), which doesn't have this issue.

Good morning,

soporte.redes2 — Thu, 05 Jan 2017 19:57:15 GMT

Good morning,

To me it happens the same for the website https://esta.cbp.dhs.gov/ I generate the error ERR_CONNECTION_CLOSED from the browser, in the capture of logs from the WSA I get error code 502:

1483558564.689 968 10.10.165.35 TCP_MISS / 502 0 TCP_CONNECT 216.81.87.20:443 - DIRECT / esta.cbp.dhs.gov - PASSTHRU_WEBCAT_7-INTERNETVIP-RedWifiRed0-NONE-NONE-NONE-DefaultGroup <IW_gov, 3.9, -, "-", IW_gov, -, "-", "-", "-", "-", "-", "-" "-" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

This happens to the version of WSA 9.1.1-074, but in a WSA with version 8.5.2-027 I do not happen this type of error; Please can you inform me the root cause of this behavior and how can I solve it. Thank you in advance for your cooperation.