cancel
Showing results for 
Search instead for 
Did you mean: 

Dropbox: can’t Establish a Secure Connection

Jump to solution

Hi,

We're running Web Gateway in proxy mode with pacs, self-singed Proxy Certs. If we run the Dropbox app with "detect automatically" proxy settings we get the annoying message above in the subject although it seems to synchronize just fine.
We tried to exempt dropbox.com from TLS scanning but to no avail.
Any suggestions?

Best Regards

2 Solutions

Accepted Solutions
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Dropbox: can’t Establish a Secure Connection

Jump to solution

Hi,

Hope you are doing well.

 

The issue here is that dropbox application does not trust certificate issued by MWG  if SSL Scanning is enabled.

Below is seen with dropbox application and SSL Scanning enabled:-

CONNECT d.dropbox.com:443 HTTP/1.1
Host: d.dropbox.com
Proxy-Connection: keep-alive

<<<
17:59:10.361: Send 39 bytes; offset = 0
>>>
HTTP/1.0 200 Connection established

<<<
17:59:10.615: Peeked 178 bytes
>>>
17:59:10.875: SSL Accept: Would Block: (EPOLLIN, EPOLLONESHOT)
17:59:10.876: SSL Accept failed 1: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
17:59:10.876: Receive: errno: 104 - 'Connection reset by peer' (104)
17:59:10.877: Shutdown with error 107
17:59:10.877: Received FIN
17:59:10.877: Releasing and closing FD (fd = 71, 0)



alert unknown ca  is the error being seen here, which means that certificate issued by MWG and given to application is not trusted by application.


This may not work with the native desktop applications if they do not accept the certificate presented by the web gateway like a web browser would. For instance, it is known that the Dropbox’s desktop application will not work when the SSL Scanner is enabled as it will not accept the MWG’s certificate.The dropbox app is hardcoded to only accept dropbox certs. You can't use SSL scanner for it. MWG generates server certificates using the configured Root CA when using the SSL Scanner. Therefore, if using the SSL Scanner, the drop box application will refused to connect for security purposes. You must exempt the application from the SSL Scanner.

 

Regards

Alok Sarda

View solution in original post

Re: Dropbox: can’t Establish a Secure Connection

Jump to solution

Hi and thank you for your answer,

At least in my environment I had to add or rather remove the following domains from SSL scanning / inspection:

*.dropbox.com
*.dropboxusercontent.com
*.dropboxapi.com

See here for reference: https://help.dropbox.com/accounts-billing/security/official-domains

So far, the error / warning hasn't returned.

cheers

View solution in original post

4 Replies
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Dropbox: can’t Establish a Secure Connection

Jump to solution

Hi,

Hope you are doing well.

 

The issue here is that dropbox application does not trust certificate issued by MWG  if SSL Scanning is enabled.

Below is seen with dropbox application and SSL Scanning enabled:-

CONNECT d.dropbox.com:443 HTTP/1.1
Host: d.dropbox.com
Proxy-Connection: keep-alive

<<<
17:59:10.361: Send 39 bytes; offset = 0
>>>
HTTP/1.0 200 Connection established

<<<
17:59:10.615: Peeked 178 bytes
>>>
17:59:10.875: SSL Accept: Would Block: (EPOLLIN, EPOLLONESHOT)
17:59:10.876: SSL Accept failed 1: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
17:59:10.876: Receive: errno: 104 - 'Connection reset by peer' (104)
17:59:10.877: Shutdown with error 107
17:59:10.877: Received FIN
17:59:10.877: Releasing and closing FD (fd = 71, 0)



alert unknown ca  is the error being seen here, which means that certificate issued by MWG and given to application is not trusted by application.


This may not work with the native desktop applications if they do not accept the certificate presented by the web gateway like a web browser would. For instance, it is known that the Dropbox’s desktop application will not work when the SSL Scanner is enabled as it will not accept the MWG’s certificate.The dropbox app is hardcoded to only accept dropbox certs. You can't use SSL scanner for it. MWG generates server certificates using the configured Root CA when using the SSL Scanner. Therefore, if using the SSL Scanner, the drop box application will refused to connect for security purposes. You must exempt the application from the SSL Scanner.

 

Regards

Alok Sarda

View solution in original post

Re: Dropbox: can’t Establish a Secure Connection

Jump to solution

Hi and thank you for your answer,

At least in my environment I had to add or rather remove the following domains from SSL scanning / inspection:

*.dropbox.com
*.dropboxusercontent.com
*.dropboxapi.com

See here for reference: https://help.dropbox.com/accounts-billing/security/official-domains

So far, the error / warning hasn't returned.

cheers

View solution in original post

Highlighted
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Dropbox: can’t Establish a Secure Connection

Jump to solution

Hi,

Hope you are doing well.

 

Thanks for the update here.  As mentioned in my first email this application traffic needs to be bypassed from SSL Scanner.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

Re: Dropbox: can’t Establish a Secure Connection

Jump to solution

Unfortunately I cannot give kudos yet it seems but I will mark your reply as the answer.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community