Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9045
Views
20
Helpful
14
Replies

HTTPS site fails to load

ashaw216
Level 1
Level 1

‎08-12-2015 10:28 AM

There are several HTTPS sites which, when we try to access them, give varying errors (Firefox "Secure Connection Failed", IE "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting..." even though these are turned on, and Chrome "The webpage is not available ERR_CONNECTION_CLOSED").

 

Within the proxylog on the WSA170 I see these lines:

 

Warning: HTTPS : - : Unknown algorithm for public key in X509 certificate

 

 

When I run an SSL test against the site it says it supports TLS 1.0 - 1.2, but not SSL. I'm wondering why we're not able to connect.

Labels:
0 Helpful
14 Replies 14

Ken Stieers
VIP
VIP

‎08-12-2015 10:43 AM

There are a couple of things that could be going on:

1. The current WSA versions don't support TLS 1.1 or 1.2.  TLS1.1/1.2 support is coming SOON.

2. there's a bug related to how the WSA tries to negotiate this, it will show up in the access logs as 502 errors for the site in question.  The fix for this is coming soon.

 

I ended up creating a custom category, setting it to "Pass-through" in the Decryption Access Policies"

 

0 Helpful

ashaw216
Level 1
Level 1
In response to Ken Stieers

‎09-30-2015 06:39 AM

Do we have any more indications when "SOON" will be? More and more sites are moving to TLS 1.1 / 1.2 and becoming inaccessible unless we bypass them (which opens us up to potential malware infection if the site becomes compromised.)

 

I'm honestly at a total loss how Cisco still doesn't support these protocols, which have been in use for YEARS.  TLS 1.1 in 2006 and TLS 1.2 in 2008 !!

Ken Stieers
VIP
VIP
In response to ashaw216

‎09-30-2015 07:04 AM

I was in the beta, it exited a few weeks ago...I expect that FCS is imminent but don't have dates.

 

And yes Product Management knows they dropped the ball big time on this one...

Paul Cardelli
Level 1
Level 1
In response to Ken Stieers

‎09-30-2015 07:20 AM

Looking forward to the latest update. We are having a lot more issues with this lately.

0 Helpful

Atazazuddin Shaikh
Cisco Employee
Cisco Employee
In response to Paul Cardelli

‎09-30-2015 08:00 AM

Good Morning

Thanks for reaching out, Support for TLS 1.1 / 1.2 is available with the version 9.0.0-485 build (currently is limited deployment) provisioned based.  Please create a TAC case with the serial number of the Appliance needed to have this version provisioned.

 

Regards,

Zack

 

0 Helpful

blroberts2
Level 1
Level 1
In response to Atazazuddin Shaikh

‎10-01-2015 06:44 PM

I currently have a TAC case open for our S680s.  Should the engineer be able to provision this version for us?  Having several incredibly frustrating issues including this.

0 Helpful

Atazazuddin Shaikh
Cisco Employee
Cisco Employee
In response to blroberts2

‎10-02-2015 05:56 AM

Good Morning

 

That is correct, Please let your TAC engineer know and he/she will be able to have it provisioned.

 

Regards,

Zack

 

0 Helpful

ashaw216
Level 1
Level 1
In response to Atazazuddin Shaikh

‎10-02-2015 06:07 AM

Our account manager has mentioned that this update may require a memory upgrade of the appliance (!) -- what are the requirements for it?

0 Helpful

Atazazuddin Shaikh
Cisco Employee
Cisco Employee
In response to ashaw216

‎10-02-2015 11:18 AM

Their are some memory requirement for S370 (MUST be 8 Gig RAM),  Please have TAC engineer do the research for you and address all the concerns / questions you may have.

 

Thanks

Zack

 

0 Helpful

francisco del cura ferreira
Level 1
Level 1
In response to Atazazuddin Shaikh

‎02-23-2016 04:10 AM

Hi

I'd like to say we got 9.0.0-485 (S380) and our users can't access to https://www.ingdirect.es. In the browser we get ERR_CONNECTION_CLOSED. I downloaded pcap from our firewall and can see WSA sends to the remote server this:

TLSv1.2 Record Alert (Level: Fatal, Description: Unsupported Extension)

After it WSA sends a RST to ingdirect server.

I thought this problem was fixed in 9.0.0-485.

Regards

Erik Dahle
Level 1
Level 1
In response to francisco del cura ferreira

‎02-24-2016 04:37 AM

The site https://www.ingdirect.es loads fine for me, running 9.0.1-162.

0 Helpful

francisco del cura ferreira
Level 1
Level 1
In response to Erik Dahle

‎02-24-2016 04:41 AM

Hi Erik

I read in another thread 9.0.0-485 didn't fix the TLS v1.2 issue. We have to schedule an upgrade to 9.0.1-162, I'm sure the issue will be fixed after upgrading.

Thanks for answering.

0 Helpful

soporte.redes2
Level 1
Level 1
In response to Erik Dahle

‎01-05-2017 11:57 AM

Good morning,

To me it happens the same for the website https://esta.cbp.dhs.gov/ I generate the error ERR_CONNECTION_CLOSED from the browser, in the capture of logs from the WSA I get error code 502:

1483558564.689 968 10.10.165.35 TCP_MISS / 502 0 TCP_CONNECT 216.81.87.20:443 - DIRECT / esta.cbp.dhs.gov - PASSTHRU_WEBCAT_7-INTERNETVIP-RedWifiRed0-NONE-NONE-NONE-DefaultGroup <IW_gov, 3.9, -, "-", IW_gov, -, "-", "-", "-", "-", "-", "-" "-" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

This happens to the version of WSA 9.1.1-074, but in a WSA with version 8.5.2-027 I do not happen this type of error; Please can you inform me the root cause of this behavior and how can I solve it. Thank you in advance for your cooperation.

0 Helpful

ashaw216
Level 1
Level 1

‎04-13-2016 04:23 AM

Problem solved:  we switched to Websense (now Forcepoint), which doesn't have this issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents