Thank tao, but we want to allow access to consumer Gmail. Just not allow uploads.
Understood, just was wondering if you had any rule sets in place - perhaps review them again, just to rule them out.
Gotcha, I'll play around with it a bit but I haven't had much luck so far. Whitelisting it to bypass the SSL scanner is the only that that's fixing it.
Using the developer tools in a browser can be very useful when some background element is getting a block page or, in this case, a handshake failure. You can look at the HTTP status text, as it will have the "Block Reason" from the block settings.
Copy the blocked URL's and pull them up directly in the browser, so that you can examine the error text.
If includes "unsafe legacy renegotiation", then you need settings (you can have multiple settings) that have checked "Allow handshake and renegotiation with servers that do not implement RFC 5746".
I've only found a few sites that don't like "Send empty plaintext fragment". You'll need "Allow legacy signatures in the handshake" checked for SHA1.
And, there are plenty of sites that will just drop a connection if you allow SSLv3, even if you have all the TLS versions check.
Form there, it's all about the ciphers.
Thanks for the help johnaldridge.
I've actually tried changing some of the inspection (I've narrowed the issue down to "Enable Content Inspection" rule) options but no luck. I worked with a tech and changed some of the cipher options, but again to no avail. It seems that the content inspection is stalling the connection to Gmail.
I'm looking at the developer tools and when I look at the Security tab I notice that some are Unknown / Canceled:
So then I click on one and go to the Network Panel and it appears to be stalling:
I still can't figure out why it's stalling. I'm not sure where I should look next?