SSL Decode Error with some sites when using SGOS 6.7.2.X
Last Updated March 04, 2018
The purpose of this article is to expose an issue that SGOS versions since 6.7.2.X are experiencing when trying to access some specific HTTPS sites.
The error can be found in packet captures as follows:
Alert (Level: Fatal, Description: Decode Error)
This error is experienced in the latest Mozilla Firefox and Google Chrome versions, but not with Internet Explorer.
The SSL handshake breaks after the proxy receives a Server Hello message from the destination server. This occurs because the server is trying to use an Elliptic Curve that is currently unsupported by the ProxySG.
The Elliptic Curve in question can be found within a packet capture under the segment titled "Extension: elliptic_curves".
Elliptic curve: ecdh_x25519 (0x001d)
In Explicit environments, a possible workaround is disabling Protocol Detection for the specific sites.
In Transparent environments, the sites should be added to the Static Bypass List.
Downgrade your appliance to a relase of SGOS that supports the Elliptic Curve described.
The latest SGOS version 6.5.X and 6.6.X support this extension
SGOS 6.7.1.X versions support this extension
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.