6 Replies Latest reply on May 9, 2017 2:13 PM by nate.hall

    GMAIL & SSL Issues

    nate.hall

      We are running into some issues with Gmail and the SSL Scanner. I think Gmail has updated their SSL cipher and we are seeing the following issues across all browsers:

       

      • We can't delete emails
      • If we are able to delete emails, the next time we load Gmail all the deleted messages are still in our inbox

       

      If I bypass the SSL scanner in MWG for mail.google.com then everything works fine. The issue with this is that we block uploads/downloads in Gmail and if we bypass the scanner our upload block rule no longer works.

       

      Does anyone have any workarounds to get this working but keep blocking uploads/downloads?

       

      Thanks!

        • 2. Re: GMAIL & SSL Issues
          nate.hall

          Thank tao, but we want to allow access to consumer Gmail. Just not allow uploads.

          • 3. Re: GMAIL & SSL Issues
            tao

            Understood, just was wondering if you had any rule sets in place - perhaps review them again, just to rule them out.

            • 4. Re: GMAIL & SSL Issues
              nate.hall

              Gotcha, I'll play around with it a bit but I haven't had much luck so far. Whitelisting it to bypass the SSL scanner is the only that that's fixing it.

              • 5. Re: GMAIL & SSL Issues
                johnaldridge

                Using the developer tools in a browser can be very useful when some background element is getting a block page or, in this case, a handshake failure.  You can look at the HTTP status text, as it will have the "Block Reason" from the block settings. 

                 

                Copy the blocked URL's and pull them up directly in the browser, so that you can examine the error text. 

                 

                If includes "unsafe legacy renegotiation", then you need settings (you can have multiple settings) that have checked "Allow handshake and renegotiation with servers that do not implement RFC 5746". 

                 

                I've only found a few sites that don't like "Send empty plaintext fragment".  You'll need "Allow legacy signatures in the handshake" checked for SHA1. 

                 

                And, there are plenty of sites that will just drop a connection if you allow SSLv3, even if you have all the TLS versions check.

                 

                Form there, it's all about the ciphers.

                • 6. Re: GMAIL & SSL Issues
                  nate.hall

                  Thanks for the help johnaldridge.

                   

                  I've actually tried changing some of the inspection (I've narrowed the issue down to "Enable Content Inspection" rule) options but no luck. I worked with a tech and changed some of the cipher options, but again to no avail. It seems that the content inspection is stalling the connection to Gmail.

                   

                  I'm looking at the developer tools and when I look at the Security tab I notice that some are Unknown / Canceled:

                  DevTools1.PNG

                   

                  So then I click on one and go to the Network Panel and it appears to be stalling:

                   

                  DevTools2.PNG

                   

                  I still can't figure out why it's stalling. I'm not sure where I should look next?