We are running into some issues with Gmail and the SSL Scanner. I think Gmail has updated their SSL cipher and we are seeing the following issues across all browsers:
If I bypass the SSL scanner in MWG for mail.google.com then everything works fine. The issue with this is that we block uploads/downloads in Gmail and if we bypass the scanner our upload block rule no longer works.
Does anyone have any workarounds to get this working but keep blocking uploads/downloads?
Using the developer tools in a browser can be very useful when some background element is getting a block page or, in this case, a handshake failure. You can look at the HTTP status text, as it will have the "Block Reason" from the block settings.
Copy the blocked URL's and pull them up directly in the browser, so that you can examine the error text.
If includes "unsafe legacy renegotiation", then you need settings (you can have multiple settings) that have checked "Allow handshake and renegotiation with servers that do not implement RFC 5746".
I've only found a few sites that don't like "Send empty plaintext fragment". You'll need "Allow legacy signatures in the handshake" checked for SHA1.
And, there are plenty of sites that will just drop a connection if you allow SSLv3, even if you have all the TLS versions check.
Form there, it's all about the ciphers.
Thanks for the help johnaldridge.
I've actually tried changing some of the inspection (I've narrowed the issue down to "Enable Content Inspection" rule) options but no luck. I worked with a tech and changed some of the cipher options, but again to no avail. It seems that the content inspection is stalling the connection to Gmail.
I'm looking at the developer tools and when I look at the Security tab I notice that some are Unknown / Canceled:
So then I click on one and go to the Network Panel and it appears to be stalling:
I still can't figure out why it's stalling. I'm not sure where I should look next?