Has anyone else noticed an uptick in SSL handshake failures after upgrading to 184.108.40.206.0. Here is the message we are typically getting when these sites fail:
Reason: error:1408F10BSL routinesSL3_GET_RECORD:wrong version numberSL error at server handshake:state 25:Application response 500 handshakefailed
Of course we can bypass SSL scanning for these sites but that's probably not the preferred solution. We've have the recommended POODLE configuration already.
I understand there is a problem with SHA1 fallback but I'm seeing handshake failures on sites that are SHA2 as well. Below are a couple of examples:
220.127.116.11 removed 6 signature hash algorithms. 18.104.22.168 adds 3 back if you select the option to Allow legacy signatures in the handshake.
It's possible to get the pcbtax site working on 22.214.171.124 by configuring the certificate verification settings so that TLS 1.1 is the strongest option selected in the alternative handshake settings. When this is done, the initial handshake using TLS 1.2 will fail and the attempt that uses TLS 1.1 will succeed.
This doesn't help for the epsoninsider site because that site only supports TLS 1.2, but it will work if certificate verification is configured with TLS 1.2 selected and Server cipher list: TLSv1.2:!DSS:!DH:!NULL:@STRENGTH