cancel
Showing results for 
Search instead for 
Did you mean: 
gunnars
Level 7

MWG7 fails to SSL handshake

Jump to solution

Description: McAfee blocks website as The SSL handshake could not be performed 

Reason: error:1408F119Smiley FrustratedSL routinesSmiley FrustratedSL3_GET_RECORD:decryption failed or bad record mac

Recently upgraded code to 7.4.2.5.0 but have _not_ re-imported the SSL scanner ruleset yet since that one's giving me some other issues.

Any chance I can get this to work with the existing SSL scanner prior to tackling the reimport from library for the latest SSL Scanner?

Thank you.

1 Solution

Accepted Solutions
asabban
Level 17

Re: MWG7 fails to SSL handshake

Jump to solution

Hello,

what I would do is creating a new setting first which has the settings to make a successful handshake with this URL. To do so access the MWG UI, go to Policy -> Settings. Click Add. Then a new dialog pops up where you configure the "Setting for..." in a long list. Scroll down until you find "Engines -> SSL Scanner". Configure the setting like this:

2014-12-10 11_12_29-Add Settings.png

In the next step we create a list where we can put the Domains that cause problems and that this workaround setting should be used for. To do so switch to "Policy -> Lists". Click "Add" ("Plus" icon), make a new list "TLS 1.0 Fallback Hosts" of type "String":

2014-12-10 11_16_34-Add List.png

Now add the exception to this list:

2014-12-10 11_17_38-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

Now we do have the list and the setting, we are just missing the right rule. So go to "Policy -> Rule Sets". Find the "SSL Scanner" rule set and expand it like so. You may need to click the "Unlock" button if you do not see the underlying rule sets. Finally you should see this:

2014-12-10 11_18_54-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

Select the "Handle CONNECT Call" rule set. The rules should look similar to this:

2014-12-10 11_22_07-McAfee _ Web Gateway - MWG7-FB1 - 10.140.184.148.png

We want to add a new rule in front of the last rule "Enable Certificate Verification". The new rule will basically look like this:

If URL.Host is in list "TLS 1.0 Fallback Hosts" Then Stop Rule Set and use our "Certificate Verification with TLS 1.0 Fallback" setting for SSL Scanner:

2014-12-10 11_25_18-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

As mentioned this rule must be placed before "Enable Certificate Verification".

After you saved changes access should be possible.

Best,

Andre

6 Replies
asabban
Level 17

Re: MWG7 fails to SSL handshake

Jump to solution

Hello,

if would be helpful if you could share the URL you are trying to access to in order to find out what the problem is.

Best,

Andre

0 Kudos
gunnars
Level 7

Re: MWG7 fails to SSL handshake

Jump to solution

Of course, thank you, here it is:

https://mills-store.basics.com/

0 Kudos
asabban
Level 17

Re: MWG7 fails to SSL handshake

Jump to solution

Hello!

From what I can see we do have some problem when making a TLS 1.0 connection to the server (it only supports older protocols, unfortunately). First we ask for TLS 1.2 but the server tells us it only supports TLS 1.0. When we then want to continue with TLS 1.0 the server closes the connection, which causes MWG to tell you the "Handshake Failed" message.

Unfortunately I cannot explain why exactly the server behaves like that, however when we start with TLS 1.0 the connection is set up without a problem. It is possible to make a rule with a different SSL Scanner setting for this specific URL which will attempt to make an TLS 1.0 connection once the initial attempt failed.

If you need an exact root cause analysis you should file a ticket with support to have them look at what exactly happens. If you are interested in the workaround I can help you, just let me know.

Best,

Andre

0 Kudos
gunnars
Level 7

Re: MWG7 fails to SSL handshake

Jump to solution

Yes, I will definitely take you up on that offer of a workaround. Your analysis confirms what I was seeing with curl -I and openssl s_client troubleshooting. Since the problem is server side, it would be helpful to know how we can force specific TLS versions for specific sites (not the best solution, since we'd have to review these "bypasses" for when the server side does get fixed).

Thank you!

0 Kudos
asabban
Level 17

Re: MWG7 fails to SSL handshake

Jump to solution

Hello,

what I would do is creating a new setting first which has the settings to make a successful handshake with this URL. To do so access the MWG UI, go to Policy -> Settings. Click Add. Then a new dialog pops up where you configure the "Setting for..." in a long list. Scroll down until you find "Engines -> SSL Scanner". Configure the setting like this:

2014-12-10 11_12_29-Add Settings.png

In the next step we create a list where we can put the Domains that cause problems and that this workaround setting should be used for. To do so switch to "Policy -> Lists". Click "Add" ("Plus" icon), make a new list "TLS 1.0 Fallback Hosts" of type "String":

2014-12-10 11_16_34-Add List.png

Now add the exception to this list:

2014-12-10 11_17_38-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

Now we do have the list and the setting, we are just missing the right rule. So go to "Policy -> Rule Sets". Find the "SSL Scanner" rule set and expand it like so. You may need to click the "Unlock" button if you do not see the underlying rule sets. Finally you should see this:

2014-12-10 11_18_54-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

Select the "Handle CONNECT Call" rule set. The rules should look similar to this:

2014-12-10 11_22_07-McAfee _ Web Gateway - MWG7-FB1 - 10.140.184.148.png

We want to add a new rule in front of the last rule "Enable Certificate Verification". The new rule will basically look like this:

If URL.Host is in list "TLS 1.0 Fallback Hosts" Then Stop Rule Set and use our "Certificate Verification with TLS 1.0 Fallback" setting for SSL Scanner:

2014-12-10 11_25_18-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

As mentioned this rule must be placed before "Enable Certificate Verification".

After you saved changes access should be possible.

Best,

Andre

gunnars
Level 7

Re: MWG7 fails to SSL handshake

Jump to solution

just for my own records in the future, also see:

McAfee POODLE guide -

and the similar discussion here -

0 Kudos