cancel
Showing results for 
Search instead for 
Did you mean: 
otruniger
Level 10
Report Inappropriate Content
Message 1 of 10

MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

There is something strange with www.moodys.com because MWG cannot complete a SSL handshake anymore. Even with openssl s_client -connect I cannot get it working.

Using curl it shows a strange behaviour but it works and using a decent browser it also works.

Does anyone have a clue how to get MWG working to enable SSL splitting?

Regards, Othmar

1 Solution

Accepted Solutions

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

OK, I solved our problem with a workaround rule which adds a X-Forwarded-For dummy value specifically for this site.

I still have no clue why this is related. Removing this header field works for all other sites with our rule set.

9 Replies
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

Hi,

Hope you are doing well.

So users are getting SSL handshake failed error for URL www.moodys.com  when going through MWG, as MWG is not able to successfully establish SSL handshake between himself and destination server.

Can be a issue with ciphers being sent by MWG in client hello packet.

We would a require a packet capture on MWG while reproducing the issue in order to see what is happening between MWG and destination server connection.

 

You can also check output for this URL in https://www.ssllabs.com  website and check what the server supports.

 

I would suggest to gather a PCAP from MWG and open a SR with support and ping me the case number so that I can have a look at the data if required.

 

Regards

Alok Sarda

 

 

otruniger
Level 10
Report Inappropriate Content
Message 3 of 10

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

I have do dig deeper into the problem. There is no message about SSL-handshake errror but no reponse in time.

I was mislead by my test with openssl because it was the first time that I came across a website where I need to add -servername to the openssl s_client command because there is no certificate sent when servername option is missing.

I will now try a packet capture.

Highlighted
otruniger
Level 10
Report Inappropriate Content
Message 4 of 10

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

If I compare the sniffer dump of a splitted and a non-splitted session I get the conclusion that SSL-handshake is OK. It looks like the problem is that the webserver does not send a response message after having TCP-acknowledged the request message. So MWG terminates the session by sending an Encrypted Alert. In a non-splitted session the response message is sent immediately

Now I have no clue what to look for. Connection tracing does not give any help either because there is just no response from webserver. Protocol is HTTP/1.1.

Am I the only one with this behaviour?

otruniger
Level 10
Report Inappropriate Content
Message 5 of 10

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

OK, I tracked it down to another complete different problem. But I'm stuck here too. Hopefully someone can advise me here.

In our rule set we always had a rule in the Common Rules Set to remove the field X-Forwarded-For because we don't want the webservers to track our internal IP adresses. If I disable that rule the communication to the webserver runs fine.

Why would the webserver not return a response if the X-Forwarded-For header field is missing in the splitted SSL session?

Do others see the same problem and how do they handle it?

Is there a different method to deal with X-Forwarded-For header field?

Any help is deeply appreciated

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

Hi,

Hope you are doing well.

The issue is not reproducibale at my end. I am able to access https://www.moodys.com/  successfully  with X-Forwarded-For header removed in my rules.

 

Connection from mine MWG is being with destination IP Address:- 115.248.238.59

 

Below is an connection example from mine MWG to destination server with X-Forwarded-For being stripped off and connection being successful.

 


10:22:13.974: Connect: Would block (EPOLLOUT, EPOLLONESHOT, EPOLLERR) 115.248.238.59:443 (fd = 97, date = 07.12.2018, MWG 7.8.2.1.0-26563
10:22:14.558: SSL Connect: Would Block: (EPOLLIN, EPOLLONESHOT)
10:22:14.627: SSL Connect: Would Block: (EPOLLIN, EPOLLONESHOT)
10:22:14.660: SSL Connect finished ok. Session re-use = 0, digest = fcc39bc08c624bc5dc3254c1d97a8a20db5c0768f632b015e33bf782d50bef5c, ALPN = http/1.1, cipher = ECDHE-ECDSA-AES256-GCM-SHA384 (TLSv1.2)
10:22:15.116: Connection is still ok
10:22:15.116: Connection is still ok
10:22:15.116: Send 781 bytes; offset = 0
[[[
GET / HTTP/1.1
Host: www.moodys.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Cookie: ak_bmsc=CDA8088DA67CB5F13B8C8806A54E5A9F73F8EE37D0750000D5490A5C36747C05~plNdXaQjFMlr+ZvhGYiuv2BkYSOlU9DQSlQiOaADFZ1MEf9+/QRyQVJBC+B029gthOT75s3Yc6No/GHVIWY+oU8PYRsG8twnhS9IyounmBOAaG15arj4zYazBN4XFtweCKL565Ex5F7TwX7CFmbLVLcnRXjuW7hTubAGIwzZPs4if0b6wZ1qPHEGEagsh9BdEbLUgjh0hWZ4lnFzyZGvEioDhls/BBBWWBJL+Xdn0zkcU=
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Upgrade-Insecure-Requests:
Connection: Keep-Alive

]]]
10:22:15.116: Receive: Would Block (EPOLLIN, EPOLLONESHOT)
10:22:15.890: Receive: Would Block (EPOLLIN, EPOLLONESHOT)
10:22:15.920: Receive: Would Block (EPOLLIN, EPOLLONESHOT)
10:22:15.971: Receive: Would Block (EPOLLIN, EPOLLONESHOT)
10:22:15.982: Receive: Would Block (EPOLLIN, EPOLLONESHOT)
10:22:16.003: Receive: Would Block (EPOLLIN, EPOLLONESHOT)
10:22:16.033: Received 8192 bytes
[[[
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
SPRequestGuid: b2b12370-afc3-444c-836a-37ea61dd45f5
X-SharePointHealthScore: 0
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: IE=Edge,chrome=1
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.moodys.com *.gigya.com *.googletagmanager.com *.google-analytics.com *.googleapis.com *.qualtrics.com *.webtrendslive.com *.webtrends.com *.salesforceliveagent.com *.adobedtm.com;
X-Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.moodys.com *.gigya.com *.googletagmanager.com *.google-analytics.com *.googleapis.com *.qualtrics.com *.webtrendslive.com *.webtrends.com *.salesforceliveagent.com *.adobedtm.com;
X-Webkit-CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.moodys.com *.gigya.com *.googletagmanager.com *.google-analytics.com *.googleapis.com *.qualtrics.com *.webtrendslive.com *.webtrends.com *.salesforceliveagent.com *.adobedtm.com;
Strict-Transport-Security: max-age=31536000
Cteonnt-Length: 113693
Content-Encoding: gzip
x-request-id: ddc74219048c99791138e3372e63e4b3
Vary: Accept-Encoding
X-Akamai-Transformed: 9 25920 0 pmb=mTOE,2
Date: Fri, 07 Dec 2018 10:22:15 GMT
Content-Length: 24212
Connection: keep-alive
Set-Cookie: credentials=; Expires=Tue, 12-Dec-17 10:22:15 GMT; Domain=moodys.com; Path=/; HttpOnly
Set-Cookie: .ASPXANONYMOUS=USrej6jE1AEkAAAAOWRmYjcxY2EtYjZmOC00MzEwLWI2NzItMDllMTc0YmQ4NTM19Q1f3UreZvy5eb5H-ibPZCZhA6s1; expires=Thu, 14-Feb-2019 21:02:14 GMT; path=/; secure; HttpOnly
Set-Cookie: MDC.ASPXAUTH.IPAUTHENFAIL=; path=/; secure; HttpOnly
Set-Cookie: Mdc.FedAuth=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: credentials=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: MDC.ASPXAUTH=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: MDC.ASPXAUTH.BROWSER=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: LoginProvider=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: MDC.REGIONAL=global; path=/; secure; HttpOnly
Set-Cookie: .ASPXANONYMOUS=USrej6jE1AEkAAAAOWRmYjcxY2EtYjZmOC00MzEwLWI2NzItMDllMTc0YmQ4NTM19Q1f3UreZvy5eb5H-ibPZCZhA6s1; expires=Thu, 14-Feb-2019 21:02:14 GMT; path=/; secure; HttpOnly
Set-Cookie: MDC.ASPXAUTH.IPAUTHENFAIL=; path=/; secure; HttpOnly
Set-Cookie: Mdc.FedAuth=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: credentials=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: MDC.ASPXAUTH=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: MDC.ASPXAUTH.BROWSER=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: LoginProvider=; domain=.moodys.com; expires=Thu, 07-Dec-2017 10:22:14 GMT; path=/; secure
Set-Cookie: MDC.REGIONAL=global; path=/; secure; HttpOnly
Set-Cookie: usertype=%3b0%3b; path=/; secure
Set-Cookie: Qualtrics=%3b1%3b; path=/; secure
Set-Cookie: bm_mi=EA8D2F62CC9F553F5AA8CE4715FF7744~RZCmNDXxsQ8ix3y5tdQSw1KdjJkicwEyzovJnlKnKM0MN/NdYaN9J8Ju+7I2L4kAfbO5bwaBtc2E/pUwSUr9DvmQtbW4LGScrRITejt4zRJJPi5w7GLkl2q63X2UHI/hyoheAm/NEU0Jg8mMUQMS0LK6HpWDG6/FUQtskmE2G0XRt2k71KNF2JzuDQxqZJYwqUGKZDFnYN3qaTpOzsmyQQY7GeMwhsBu2FdFjG4a54Y=; Domain=.moodys.com; Path=/; Max-Age=7198; HttpOnly
Set-Cookie: bm_sv=269486A824D42EEBE83668509A1AB62A~EkmpjaL6V1N88IPWxMKL2sFaBASrMR0+C6qfqm1VMUJ0K+lf0v0XAI/qP/3XDr7ToGerLRucd4B3Iep2kw3+EObpSziuodU79lOT9TdnAAiDRIdzPQZYyzYzSNt0XzJxzbch5NZMWURt5mkXZEN0tYRtNqA+XwYbiIes5IXlFPU=; Domain=.moodys.com; Path=/; Max-Age=7200; HttpOnly

 

Regards

Alok Sarda

 

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 7 of 10

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

Hi,

Hope you are doing well.

You can configure your policy in such a way that the rule present under ommon Rules Set to remove the field X-Forwarded-For  should not be applicable for this problematic website.

 

For example:-  Your current rule might ne having criteria as Always and for all traffic X-forwarded-for header should be removed.

 

You can for example might tweak this rule and change criteria from Always to URL.host does not match *moody.com*.  This is just an examle.

 

Or elese I suggest to open a case with support ticket so that we cna gther some logs from your MWG for further investigation if required.

 

Regards

Alok Sarda

 

 

 

In our rule set we always had a rule in the Common Rules Set to remove the field X-Forwarded-For because we don't want the webservers to track our internal IP adresses. If I disable that rule the communication to the webserver runs fine.

 

 

 

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

Hi,

It is many a times seen when an destination server not responding when it sees X-forwarded-For in an request but not the other way round.

 

Note: There are situations in which web servers may act strange when they see the Via Header and/or x-forwarded-for headers. These are not common scenarios as properly coded servers are supposed to ignore headers they are not interested in. In this case, it may be needed to remove these headers only for these specific web servers.

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Via-and-X-Forwarded-For-Headers-Proxy-Loop/ta-...

 

Regards

Alok Sarda

 

otruniger
Level 10
Report Inappropriate Content
Message 9 of 10

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

Hi, thank you very much for your support. I appreciate.

Somehow I'm not surprised that you cannot reproduce my problem with X-Forwarded-For removed. After all it should not cause a problem. I guess in my case the problem is just triggered with that header field but there probably is a dependency in my rule set I'm not seeing yet. BTW we also always remove the via header with the integrated proxy handler.

I will now first work on a workaround rule to deal with that specific webserver before spending more time on finding the real issue.

Re: MWG cannot complete SSL handshake to www.moodys.com

Jump to solution

OK, I solved our problem with a workaround rule which adds a X-Forwarded-For dummy value specifically for this site.

I still have no clue why this is related. Removing this header field works for all other sites with our rule set.

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.