Yes, same thing to me here today.
The SSL handshake could not be performed. Host: login.live.com
But when I bypassed the proxy, everything is working as normal.
I can replicate the problem. This is a known problem with some SSL sites which should be solved in the near future. For the meantime there is a workaround described here:
It describes how to apply a workaround for several web sites which are added to a list. If you add the rule described and add "login.live.com" to the associated list access will work.
Hm.. so in this case I'm confused.
by creating the workaround above, it means that the security policy for the clients in our domain is lowered down as the workaround until Microsoft or Hotmail change their settings?
So when should I remove this exception / work around ?
If you follow the POODLE guide, it's not a workaround it's the overall fix so there is no need to maintain or remove anything.
I'm following the guide Re: MWG7 fails to SSL handshake up to the point of
"If URL.Host is in list "TLS 1.0 Fallback Hosts" Then Stop Rule Set and use our "Certificate Verification with TLS 1.0 Fallback" setting for SSL Scanner""
but somehow I cannot find the AND button to click to select the SSL scanner setting?
see below screenshot:
You should be looking at the rule criteria not the action.
For simplicity sake, please follow the POODLE guide (How McAfee Web Gateway can protect end users from the POODLE vulnerability).
The guide Andre mentioned has you create a list that you must maintain, the POODLE guide updates the default rules to use the suggested settings.
yes Thank you jscholte, all of the Microsoft Passport sites are all working with your method :-)
So I guess in this case I will now have to maintain the list of SSL 3.0 site exceptions which may be required by the users.
I wasn't aware of the POODLE guide, you definitely want to go for it.
My version is - as stated - a workaround only for specific sites. I was assuming this behaviour is caused by a problem which will be fixed in a later MWG version, in such situations you may want to go for a temporary workaround :-)