Blue Coat customers using the SSL Visibility Appliance product may notice that some SSL sessions to Google servers are being rejected with the session log indicating that the session is using an Unsupported named elliptic curve. This only happens if the policy action is to inspect the flow.
Google released a new Elliptic Curve (EC) X25519 for the ECDHE cipher, which is used in Google Chrome version 50. As a result, since May 10, SSL connections to some Google servers (using this curve) fail, if the SSL Visibility Appliance is trying to inspect them .
To workaround the issue google sites must be cut-through.
The most efficient way to do this is by creating a custom Subject/Domain Name list for Google sites and applying it to a cut-through rule within the ruleset. The Subject/Domain Name List should contain, at the very least, the following entry since Google uses a wildcard certificate for most of their services :
More entries can be added to the custom list as needed.
Update - release 126.96.36.199 addressed the issue detailed here and is available on the BTO as of June 6, 2016
Blue Coat will be releasing a maintenance release of software for the SSL Visibility Appliance in the near future that adds support for the new elliptic curve so that customers will be able to decrypt this traffic.
Imported Document ID: 000031281
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.