6 Replies Latest reply on Jan 6, 2015 9:39 AM by gunnars

    MWG7 fails to SSL handshake

    gunnars

      Description: McAfee blocks website as The SSL handshake could not be performed 

      Reason: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

       

      Recently upgraded code to 7.4.2.5.0 but have _not_ re-imported the SSL scanner ruleset yet since that one's giving me some other issues.

       

      Any chance I can get this to work with the existing SSL scanner prior to tackling the reimport from library for the latest SSL Scanner?

       

      Thank you.

        • 1. Re: MWG7 fails to SSL handshake
          asabban

          Hello,

           

          if would be helpful if you could share the URL you are trying to access to in order to find out what the problem is.

           

          Best,

          Andre

          • 2. Re: MWG7 fails to SSL handshake
            gunnars

            Of course, thank you, here it is:

             

            https://mills-store.basics.com/

            • 3. Re: MWG7 fails to SSL handshake
              asabban

              Hello!

               

              From what I can see we do have some problem when making a TLS 1.0 connection to the server (it only supports older protocols, unfortunately). First we ask for TLS 1.2 but the server tells us it only supports TLS 1.0. When we then want to continue with TLS 1.0 the server closes the connection, which causes MWG to tell you the "Handshake Failed" message.

               

              Unfortunately I cannot explain why exactly the server behaves like that, however when we start with TLS 1.0 the connection is set up without a problem. It is possible to make a rule with a different SSL Scanner setting for this specific URL which will attempt to make an TLS 1.0 connection once the initial attempt failed.

               

              If you need an exact root cause analysis you should file a ticket with support to have them look at what exactly happens. If you are interested in the workaround I can help you, just let me know.

               

              Best,

              Andre

              • 4. Re: MWG7 fails to SSL handshake
                gunnars

                Yes, I will definitely take you up on that offer of a workaround. Your analysis confirms what I was seeing with curl -I and openssl s_client troubleshooting. Since the problem is server side, it would be helpful to know how we can force specific TLS versions for specific sites (not the best solution, since we'd have to review these "bypasses" for when the server side does get fixed).

                 

                Thank you!

                • 5. Re: MWG7 fails to SSL handshake
                  asabban

                  Hello,

                   

                  what I would do is creating a new setting first which has the settings to make a successful handshake with this URL. To do so access the MWG UI, go to Policy -> Settings. Click Add. Then a new dialog pops up where you configure the "Setting for..." in a long list. Scroll down until you find "Engines -> SSL Scanner". Configure the setting like this:

                   

                  2014-12-10 11_12_29-Add Settings.png

                   

                  In the next step we create a list where we can put the Domains that cause problems and that this workaround setting should be used for. To do so switch to "Policy -> Lists". Click "Add" ("Plus" icon), make a new list "TLS 1.0 Fallback Hosts" of type "String":

                   

                  2014-12-10 11_16_34-Add List.png

                   

                  Now add the exception to this list:

                  2014-12-10 11_17_38-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

                  Now we do have the list and the setting, we are just missing the right rule. So go to "Policy -> Rule Sets". Find the "SSL Scanner" rule set and expand it like so. You may need to click the "Unlock" button if you do not see the underlying rule sets. Finally you should see this:

                  2014-12-10 11_18_54-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

                   

                  Select the "Handle CONNECT Call" rule set. The rules should look similar to this:

                  2014-12-10 11_22_07-McAfee _ Web Gateway - MWG7-FB1 - 10.140.184.148.png

                   

                  We want to add a new rule in front of the last rule "Enable Certificate Verification". The new rule will basically look like this:

                   

                  If URL.Host is in list "TLS 1.0 Fallback Hosts" Then Stop Rule Set and use our "Certificate Verification with TLS 1.0 Fallback" setting for SSL Scanner:

                  2014-12-10 11_25_18-McAfee _ Web Gateway - MWG7-Test-1 - 10.140.184.144.png

                   

                  As mentioned this rule must be placed before "Enable Certificate Verification".

                   

                  After you saved changes access should be possible.

                   

                  Best,

                  Andre

                  • 6. Re: MWG7 fails to SSL handshake
                    gunnars

                    just for my own records in the future, also see:

                     

                    McAfee POODLE guide - How McAfee Web Gateway can protect end users from the POODLE vulnerability

                    and the similar discussion here - Re: Mcafee Web Gateway cannot access web hotmail