cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ALPN issue on MWG 7.7.0.3 with Chrome

Hi,

We're running MWG version 7.7.0.3, lately we had a few sites that don't work with Chrome when SSL scanning is enabled, IE works fine.

The SSL error message below displayed:

The SSL handshake could not be performed.

Host: www.tvnz.co.nz

Reason: error:14094460:SSL routines:ssl3_read_bytes:reason(1120):SSL error at server handshake:state 25:Application response 500 handshakefailed

A Wireshark capture suggests that the remote site rejects the connection with "No application Protocol", looks like the MWG is stripping the ALPN

MWG to Server  Client Hello:

Secure Sockets Layer

    TLSv1.2 Record Layer: Handshake Protocol: Client Hello

        Content Type: Handshake (22)

        Version: TLS 1.0 (0x0301)

        Length: 512

        Handshake Protocol: Client Hello

            Handshake Type: Client Hello (1)

            Length: 508

            Version: TLS 1.2 (0x0303)

            Random

            Session ID Length: 0

            Cipher Suites Length: 172

            Cipher Suites (86 suites)

            Compression Methods Length: 1

            Compression Methods (1 method)

            Extensions Length: 295

            Extension: server_name

                Type: server_name (0x0000)

                Length: 19

                Server Name Indication extension

            Extension: ec_point_formats

                Type: ec_point_formats (0x000b)

                Length: 4

                EC point formats Length: 3

                Elliptic curves point formats (3)

            Extension: elliptic_curves

                Type: elliptic_curves (0x000a)

                Length: 10

                Elliptic Curves Length: 8

                Elliptic curves (4 curves)

            Extension: SessionTicket TLS

                Type: SessionTicket TLS (0x0023)

                Length: 0

                Data (0 bytes)

            Extension: signature_algorithms

                Type: signature_algorithms (0x000d)

                Length: 20

                Signature Hash Algorithms Length: 18

                Signature Hash Algorithms (9 algorithms)

            Extension: Heartbeat

                Type: Heartbeat (0x000f)

                Length: 1

                Mode: Peer allowed to send requests (1)

            Extension: next_protocol_negotiation

                Type: next_protocol_negotiation (0x3374)

                Length: 0

            Extension: Application Layer Protocol Negotiation

                Type: Application Layer Protocol Negotiation (0x0010)

                Length: 5

                ALPN Extension Length: 3

                ALPN Protocol

                    ALPN string length: 2

                    ALPN Next Protocol: h2

            Extension: Padding

                Type: Padding (0x0015)

                Length: 200

                Padding Data: 000000000000000000000000000000000000000000000000...

Original Client Hello when disabling the proxy:

Secure Sockets Layer

    TLSv1.2 Record Layer: Handshake Protocol: Client Hello

        Content Type: Handshake (22)

        Version: TLS 1.0 (0x0301)

        Length: 245

        Handshake Protocol: Client Hello

            Handshake Type: Client Hello (1)

            Length: 241

            Version: TLS 1.2 (0x0303)

            Random

            Session ID Length: 32

            Session ID: d7f1f94eb49dbf9c52a0fc15313a13c5ce1b8654e289f256...

            Cipher Suites Length: 32

            Cipher Suites (16 suites)

            Compression Methods Length: 1

            Compression Methods (1 method)

                Compression Method: null (0)

            Extensions Length: 136

            Extension: Unknown 6682

                Type: Unknown (0x1a1a)

                Length: 0

                Data (0 bytes)

            Extension: renegotiation_info

                Type: renegotiation_info (0xff01)

                Length: 1

                Renegotiation Info extension

                    Renegotiation info extension length: 0

            Extension: server_name

                Type: server_name (0x0000)

                Length: 31

                Server Name Indication extension

            Extension: Extended Master Secret

                Type: Extended Master Secret (0x0017)

                Length: 0

            Extension: SessionTicket TLS

                Type: SessionTicket TLS (0x0023)

                Length: 0

                Data (0 bytes)

            Extension: signature_algorithms

                Type: signature_algorithms (0x000d)

                Length: 20

                Signature Hash Algorithms Length: 18

                Signature Hash Algorithms (9 algorithms)

            Extension: status_request

                Type: status_request (0x0005)

                Length: 5

                Certificate Status Type: OCSP (1)

                Responder ID list Length: 0

                Request Extensions Length: 0

            Extension: signed_certificate_timestamp

                Type: signed_certificate_timestamp (0x0012)

                Length: 0

                Data (0 bytes)

            Extension: Application Layer Protocol Negotiation

                Type: Application Layer Protocol Negotiation (0x0010)

                Length: 14

                ALPN Extension Length: 12

                ALPN Protocol

                    ALPN string length: 2

                    ALPN Next Protocol: h2

                    ALPN string length: 8

                    ALPN Next Protocol: http/1.1

            Extension: channel_id

                Type: channel_id (0x7550)

                Length: 0

                Data (0 bytes)

            Extension: ec_point_formats

                Type: ec_point_formats (0x000b)

                Length: 2

                EC point formats Length: 1

                Elliptic curves point formats (1)

            Extension: elliptic_curves

                Type: elliptic_curves (0x000a)

                Length: 10

                Elliptic Curves Length: 8

                Elliptic curves (4 curves)

            Extension: Unknown 56026

                Type: Unknown (0xdada)

                Length: 1

                Data (1 byte)

Thanks.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community