SSL

snormoyle · ‎04-16-2011

I have an odd issue with certain sites and SSL. when a user goes to https://www.hotmail.com the site works fine. If a user goes to https://slep.dmsbfda.army.mil the browser returns page cannot be displayed.

We are not decrypting any SSL traffic, it is all either drop or pass thru based on the URL category. Anything in the URL categoy government is set to pass thru in the decryption policies. The site's host was put in the whitelist, but still would not work. Finally put the site's host in the bypass list and it worked.

Below is the grep from the access logs using the client IP (masked for security reasons) and the only thing I see is that the remote server is dropping/disconnecting the traffic (this grep was done before adding the site's host to the proxy bypass). Since we are decrypting any SSL traffic there will not be much to look at in the log files.

We are on version 7.1.0 using the S650.

1302822657.016 102 X.X.X.X TCP_MISS/200 0 TCP_CONNECT 140.139.90.179:443 - DIRECT/140.139.90.179 - OTHER-NONE-NONE-NONE-NONE-NONE-DefaultGroup <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - -

Idea: (maybe)

If the remote site is using a proxy server is it possible that there could be an issue with the remote site proxy and my ironport proxy. Maybe the remote site proxy is checking or looking for something, but cannot since it is not communicating directly with the client. Remember I have the remote host in the proxy bypass on my proxy server and it will work.

snormoyle · ‎04-18-2011

this issue has been resolved. There is a known issue in version 7.1 concerning SSL. In version 7.1 the ironport only wants to talk on TLS, so if the remote site is not configured for TLS then neither side knows how to talk to each other. You will see this by doing a packet capture on the ironport. the only work around is to put the site in question in the proxy bypass list.