Cannot access a specific URL with weak encryption over Symantec SSL proxy
Last Updated December 17, 2013
When browsing to a specific HTTPS URL through the SSL Deep Inspection component of Symantec Web Gateway (SWG), the client browser displays a blank page. However, the client browser displays the content of other HTTPS pages.
Previous versions of SWG appliance accepted MD5 and SHA-1 encryption methods. SWG5.2.0 no longer accepts MD5 or SHA-1 encryption methods as supported encryption methods during SSL connections due to the relative weakness of these encryption methods.
Confirm that the connection failure between SWG and the web site is specific to the encryption handshake.
Do one of the following: - If the connection failure is specific to the connection handshake, workaround temporarily by creating an SSL Intercept Exception within the Interception policy for the specific site. Contact the Technical Contact for the domain to request that they support stronger encryption for SSL. - If the site in question does not meet the security policy or usage requirements of your organization, make no changes within SWG and consider blocking the site by IP address at your firewall.
To confirm that the connection failure is specific to the encryption handshake
Collect a packet capture while reproducing the symptom
Compare the packet capture to the example below to confirm that the ssh connection is failing during handshake. In the example below, SWG's IP address on the LAN interface is 10.69.121.105 and the IP address of the test web server is [REMOVED]. Also note the "Handshake Failure".
Within the SWG user interface (UI), navigate to Policies> Configuration.
On the policy with a Type of SSL that is closest to the top of the list of policies, click the Edit Policy button (the button with a picture of a pencil).
Scroll down to the section labeled "SSL Intercept Exceptions".
Click "Add an exception"
In the "Domain Name/IP" field, type the domain name or IP address you seek to exempt from SSL Interception
In the "Action" dropdown box, select Ignore.
In Description, type a brief explanation, such as "site only supports MD5 encryption".
On Administration> Configuration> Operating Mode, SWG 5.2.0 is set to either Proxy or Inline+Proxy mode.
On Administration> Configuration> Proxy, SSL Deep Inspection is checked.
The client browser is configured to point HTTPS traffic to the IP and address of the SSL Deep Inspection port on the IP address of the SWG appliance. (This setting might either be configured in the Internet Options on Connection> LAN Settings> Advanced or in a proxy.pac file.)
Imported Document ID: TECH213384
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe