cancel
Showing results for 
Search instead for 
Did you mean: 
feickholt
Level 10

SSL Intercept _ SSLV3

We use SSL Intercept. On some HTTPs sites we receive the error : SSL routinesSmiley FrustratedSL3_GET_RECORD:wrong version number

In the SSL intercept configuration I already enabled and disabled SSL3 support.

No Change.

What does this error mean to me. How can I avoid this?

FRANK

0 Kudos
5 Replies
mbagheryan
Level 12

Re: SSL Intercept _ SSLV3

May be your case is connected to this issue:

Enjoy.

M.B.M

0 Kudos
feickholt
Level 10

Re: SSL Intercept _ SSLV3

This is the site I tried to connect to: kunde.comdirect.de

SSLYSE tells me

CHECKING HOST(S) AVAILABILITY

-----------------------------

   kunde.comdirect.de:443              => 193.41.132.20:443

SCAN RESULTS FOR KUNDE.COMDIRECT.DE:443 - 193.41.132.20:443

-----------------------------------------------------------

  * Deflate Compression:

      OK - Compression disabled

  * Session Renegotiation:

      Client-initiated Renegotiations:   VULNERABLE - Server honors client-initiated renegotiations

      Secure Renegotiation:              OK - Supported

  * OpenSSL Heartbleed:

      OK - Not vulnerable to Heartbleed

  * Certificate - Content:

      SHA1 Fingerprint:                  41a207b1a68f4344fe0ca0ee5e1affa5958d2a4e

      Common Name:                       kunde.comdirect.de

      Issuer:                            VeriSign Class 3 Extended Validation SSL SGC CA

      Serial Number:                     18F7DC6DCA3088CAADF7D9B73C3C9BF2

      Not Before:                        Apr 10 00:00:00 2014 GMT

      Not After:                         May 16 23:59:59 2015 GMT

      Signature Algorithm:               sha1WithRSAEncryption

      Key Size:                          2048 bit

      Exponent:                          65537 (0x10001)

      X509v3 Subject Alternative Name:   {'DNS': ['kunde.comdirect.de']}

  * Certificate - Trust:

      Hostname Validation:               OK - Subject Alternative Name matches

      "Mozilla NSS - 08/2014" CA Store:  OK - Certificate is trusted, Extended Validation

      "Microsoft - 08/2014" CA Store:    FAILED - Certificate is NOT Trusted: certificate has expired

      "Apple - OS X 10.9.4" CA Store:    OK - Certificate is trusted

      "Java 6 - Update 65" CA Store:     OK - Certificate is trusted

      Certificate Chain Received:        ['kunde.comdirect.de', 'VeriSign Class 3 Extended Validation SSL SGC CA', 'VeriSign Class 3 Public Primary Certification Authority - G5']

  * Certificate - OCSP Stapling:

      NOT SUPPORTED - Server did not send back an OCSP response.

  * SSLV2 Cipher Suites:

      Server rejected all cipher suites.

  * Session Resumption:

      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).

      With TLS Session Tickets:          NOT SUPPORTED - TLS ticket not assigned.

  * TLSV1_2 Cipher Suites:

      Preferred:

                 DHE-RSA-AES256-GCM-SHA384     DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

      Accepted:

                 ECDHE-RSA-AES256-SHA384       ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 ECDHE-RSA-AES256-GCM-SHA384   ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 DHE-RSA-AES256-GCM-SHA384     DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 ECDHE-RSA-AES128-SHA256       ECDH-256 bits  128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 DHE-RSA-AES128-GCM-SHA256     DH-1024 bits   128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

  * TLSV1_1 Cipher Suites:

      Preferred:

                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

      Accepted:

                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

  * TLSV1 Cipher Suites:

      Preferred:

                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

      Accepted:

                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 AES256-SHA                    -              256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                 RC4-SHA                       -              128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

  * SSLV3 Cipher Suites:

      Server rejected all cipher suites.

0 Kudos
feickholt
Level 10

Re: SSL Intercept _ SSLV3

I've tested this on MWG 7.4.2

0 Kudos
bwallace1
Level 9

Re: SSL Intercept _ SSLV3

Hello Frank -

My findings are same as MBM's - I tested using 7.4.2.6 and 7.5.1 = no errors.

Make sure your settings align with the doc mentioned by MBM - this actually resolves quite a few SSL related issues, so please double check. This is the 1st thing we here in support will ask about, regarding your SSL scanner settings.

If the issue persists, then the next step is to run a tcpdump on the MWG and in the capture, observe the cipher exchange between MWG and the server.

How does the server respond to MWG's CLIENT HELLO?

Is there a mismatch between the ciphers that MWG supports and what the server wants to use?

Do they agree on a cipher only to see an error after that?

Here is a rundown of the general order of steps:

When MWG contacts the server, it will suggest the most secure version of ssl/tls which IT, not the client, is configured for. These settings are found in two places via the MWG UI: Policy > settings > SSL Scanner:

1) "Certificate Verification"

2) "Enable content Inspection"

- Those settings apply to the connection between the Web Gateway and server ONLY -

Lets say MWG wants to use TLS 1.2 but the site does not support it.The webserver will send an SSL handshake failure in response to the MWG's Client Hello. Usually at this point a renegotiation process would begin where MWG would present a different version of SSL/TLS in a new Client HELLO - if the site does not support renegotiation, then of course things stop right there.

I see the site in question here does support TLS 1.2 and renegotiation.

Here is the ssllabs report on the site:

SSL Server Test: kunde.comdirect.de (Powered by Qualys SSL Labs)

Hope this helps. If not, open a case with us if you haven't already, and we'd be happy to take a look at a capture of this-

-Brent

mbagheryan
Level 12

Re: SSL Intercept _ SSLV3

I am still using SSL3 off in my MWG after the poodle issue and over this site which I checked already in my lab, no error shown.

I still didn't find any other clue on it.

0 Kudos