The purpose of this article is to expose an issue that SGOS versions since 6.7.2.X are experiencing when trying to access some specific HTTPS sites.
The error can be found in packet captures as follows:
Alert (Level: Fatal, Description: Decode Error)
This error is experienced in the latest Mozilla Firefox and Google Chrome versions, but not with Internet Explorer.
In addition, the same error is also visible from SGOS prior to 22.214.171.124 using TLSv1.2.
The SSL handshake breaks after the proxy receives a Server Hello message from the destination server. This occurs because the server is trying to use an Elliptic Curve that is currently unsupported by the ProxySG.
The Elliptic Curve in question can be found within a packet capture under the segment titled "Extension: elliptic_curves".
Elliptic curve: ecdh_x25519 (0x001d)
The issue with SGOS prior to 126.96.36.199 is caused due to the signature algorithm not supported for TLSv1.2, which has been patched starting SGOS 188.8.131.52.
In Explicit environments, a possible workaround is disabling Protocol Detection for the specific sites.
In Transparent environments, the sites should be added to the Static Bypass List.
Downgrade your appliance to a release of SGOS that supports the Elliptic Curve described.
The latest SGOS version 6.5.X and 6.6.X support this extension
SGOS 6.7.1.X versions support this extension
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.