What does "unknown ssl://" mean in a SSL Intercept Layer Trace or Web Access Layer Trace?
search cancel

What does "unknown ssl://" mean in a SSL Intercept Layer Trace or Web Access Layer Trace?

book

Article ID: 167225

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

In an SSL Intercept Layer Trace, the term "unknown ssl://" can be seen. For example: 

start transaction -------------------

  CPL Evaluation Trace: transaction ID=88616
           <ssl-intercept>
    miss :     category=NoSSLTermination
[...]
    MATCH:     ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(default)
connection: service.name=HTTPS client.address=ip_address proxy.port=443
time: 2009-07-21 15:17:28 UTC
unknown ssl://example.com:443/
RDNS lookup was unrestricted
user: unauthenticated
url.category: none
DSCP client outbound: 65
DSCP server outbound: 65

stop transaction --------------------

In a Web Access Layer Trace, the term "unknown ssl://" can be seen. For Example:

start transaction -------------------

connection: service.name=Explicit HTTP client.address=YY.YY.YY.YY proxy.port=8080 client.interface=1:1.1 routing-domain=default
  location-id=0 access_type=unknown
time: 2018-04-05 21:44:57 UTC
unknown ssl://example.com:443/
  DNS lookup was unrestricted
origin server next-hop IP address=XX.XX.XX.XX
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
  url.category: none@Policy;none@YouTube;Financial Services@Blue Coat
    total categorization time: 1
    static categorization time: 1
  server.certficate.hostname.category: none@Policy;none@YouTube;Financial Services@Blue Coat
    total categorization time: 30
    static categorization time: 30
application.name: none
application.operation: none
DSCP client outbound: 65
DSCP server outbound: 65


stop transaction --------------------

 

 

Resolution

The "unknown ssl://" in this SSL Intercept Layer Trace is simply a placeholder for the request method (GET, POST, etc; in HTTP).  Because this is an unintercepted SSL connection, there is no method visible because it has not yet been decrypted.

 

The "unknown ssl://" in this Web Access Layer Trace is simply either

  • We matched a policy to not decrypt that traffic and do not know what is in the SSL traffic headers
  • There was an issue with the SSL protocol so it was not successfully decrypted and Proxy does not know the SSL traffic, maybe proprietary SSL

Note: If successfully decrypted you will see additional transaction following with https://