cancel
Showing results for 
Search instead for 
Did you mean: 

Proxy Returns SSL Handshake Failed before Client Hello after ~150ms

We have a group working with an AWS service that we haven't used before (though many others are in use), and it just can't seem to get off the ground.

We've resorted to packet traces for understanding the breakdown.

Here's a summary:

  1. Client establishes socket to MWG (syn, syn/ack, ack).
  2. Client requests: POST https://monitoring.us-east-1.amazonaws.com HTTP/1.1  (application/x-amz-json-1.0)
  3. Proxy ack to client.
  4. About 150ms later, proxy establishes socket to distant server (syn, syn/ack, ack).
  5. Immediately following this (<1ms), the proxy sends the client a status 500, handshakefailed, along with the error page for "SSL Handshake failed".
  6. Remaining packets moot.

The thing is, there is no SSL inspection/intercept.

AWS support says that packet traces on working systems show the Client Hello going out about 180ms after the socket is established.

All of the proxy timeouts in the configuration are 10 seconds or more.

Is there a setting we need to know about here--a hidden timeout for SSL/TLS that applies when there is no SSL inspection/intercept?

2 Replies
Reliable Contributor frank_enser
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Proxy Returns SSL Handshake Failed before Client Hello after ~150ms

Hi,

open a SR with McAfee about the SSL handshake error. They will certainly require a Rule Engine Trace (see here) and Connection Tracing (GUI->Configuration->Troubleshooting->Enable Connection Tracing, results are at GUI->Troubleshooting->Connection Tracing).

Typically, you'll get a technically sound answer quite fast from them.

Regards,

Frank

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Proxy Returns SSL Handshake Failed before Client Hello after ~150ms

If there is no SSL interception, I dont think we'd sent a handshake failure back to the client.

I'm guessing that MWG might be performing the handshake instead of the client (this happens you hit the "Enable cert verification" was enabled).

Have you tried a client IP bypass at the very top of the rules as a test?

Best Regards,

Jon

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community