There are several HTTPS sites which, when we try to access them, give varying errors (Firefox "Secure Connection Failed", IE "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting..." even though these are turned on, and Chrome "The webpage is not available ERR_CONNECTION_CLOSED").
Within the proxylog on the WSA170 I see these lines:
Warning: HTTPS : - : Unknown algorithm for public key in X509 certificate
When I run an SSL test against the site it says it supports TLS 1.0 - 1.2, but not SSL. I'm wondering why we're not able to connect.
There are a couple of things that could be going on:
1. The current WSA versions don't support TLS 1.1 or 1.2. TLS1.1/1.2 support is coming SOON.
2. there's a bug related to how the WSA tries to negotiate this, it will show up in the access logs as 502 errors for the site in question. The fix for this is coming soon.
I ended up creating a custom category, setting it to "Pass-through" in the Decryption Access Policies"
Do we have any more indications when "SOON" will be? More and more sites are moving to TLS 1.1 / 1.2 and becoming inaccessible unless we bypass them (which opens us up to potential malware infection if the site becomes compromised.)
I'm honestly at a total loss how Cisco still doesn't support these protocols, which have been in use for YEARS. TLS 1.1 in 2006 and TLS 1.2 in 2008 !!
I'd like to say we got 9.0.0-485 (S380) and our users can't access to https://www.ingdirect.es. In the browser we get ERR_CONNECTION_CLOSED. I downloaded pcap from our firewall and can see WSA sends to the remote server this:
TLSv1.2 Record Alert (Level: Fatal, Description: Unsupported Extension)
After it WSA sends a RST to ingdirect server.
I thought this problem was fixed in 9.0.0-485.
To me it happens the same for the website https://esta.cbp.dhs.gov/ I generate the error ERR_CONNECTION_CLOSED from the browser, in the capture of logs from the WSA I get error code 502:
1483558564.689 968 10.10.165.35 TCP_MISS / 502 0 TCP_CONNECT 22.214.171.124:443 - DIRECT / esta.cbp.dhs.gov - PASSTHRU_WEBCAT_7-INTERNETVIP-RedWifiRed0-NONE-NONE-NONE-DefaultGroup <IW_gov, 3.9, -, "-", IW_gov, -, "-", "-", "-", "-", "-", "-" "-" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
This happens to the version of WSA 9.1.1-074, but in a WSA with version 8.5.2-027 I do not happen this type of error; Please can you inform me the root cause of this behavior and how can I solve it. Thank you in advance for your cooperation.