5 Replies Latest reply on Mar 22, 2015 10:13 PM by bwallace1

    SSL Intercept _ SSLV3

    feickholt

      We use SSL Intercept. On some HTTPs sites we receive the error : SSL routines:SSL3_GET_RECORD:wrong version number

       

      In the SSL intercept configuration I already enabled and disabled SSL3 support.

      No Change.

       

      What does this error mean to me. How can I avoid this?

       

      FRANK

        • 1. Re: SSL Intercept _ SSLV3
          M Bagheryan M

          May be your case is connected to this issue:

          How McAfee Web Gateway can protect end users from the POODLE vulnerability

           

           

          Enjoy.

          M.B.M

          • 2. Re: SSL Intercept _ SSLV3
            feickholt

            This is the site I tried to connect to: kunde.comdirect.de

             

            SSLYSE tells me

            CHECKING HOST(S) AVAILABILITY

            -----------------------------

             

               kunde.comdirect.de:443              => 193.41.132.20:443

             

             

             

            SCAN RESULTS FOR KUNDE.COMDIRECT.DE:443 - 193.41.132.20:443

            -----------------------------------------------------------

             

              * Deflate Compression:

                  OK - Compression disabled

             

              * Session Renegotiation:

                  Client-initiated Renegotiations:   VULNERABLE - Server honors client-initiated renegotiations

                  Secure Renegotiation:              OK - Supported

             

              * OpenSSL Heartbleed:

                  OK - Not vulnerable to Heartbleed

             

              * Certificate - Content:

                  SHA1 Fingerprint:                  41a207b1a68f4344fe0ca0ee5e1affa5958d2a4e

                  Common Name:                       kunde.comdirect.de

                  Issuer:                            VeriSign Class 3 Extended Validation SSL SGC CA

                  Serial Number:                     18F7DC6DCA3088CAADF7D9B73C3C9BF2

                  Not Before:                        Apr 10 00:00:00 2014 GMT

                  Not After:                         May 16 23:59:59 2015 GMT

                  Signature Algorithm:               sha1WithRSAEncryption

                  Key Size:                          2048 bit

                  Exponent:                          65537 (0x10001)

                  X509v3 Subject Alternative Name:   {'DNS': ['kunde.comdirect.de']}

             

              * Certificate - Trust:

                  Hostname Validation:               OK - Subject Alternative Name matches

                  "Mozilla NSS - 08/2014" CA Store:  OK - Certificate is trusted, Extended Validation

                  "Microsoft - 08/2014" CA Store:    FAILED - Certificate is NOT Trusted: certificate has expired

                  "Apple - OS X 10.9.4" CA Store:    OK - Certificate is trusted

                  "Java 6 - Update 65" CA Store:     OK - Certificate is trusted

                  Certificate Chain Received:        ['kunde.comdirect.de', 'VeriSign Class 3 Extended Validation SSL SGC CA', 'VeriSign Class 3 Public Primary Certification Authority - G5']

             

              * Certificate - OCSP Stapling:

                  NOT SUPPORTED - Server did not send back an OCSP response.

             

              * SSLV2 Cipher Suites:

                  Server rejected all cipher suites.

             

              * Session Resumption:

                  With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).

                  With TLS Session Tickets:          NOT SUPPORTED - TLS ticket not assigned.

             

              * TLSV1_2 Cipher Suites:

                  Preferred:

                             DHE-RSA-AES256-GCM-SHA384     DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                  Accepted:

                             ECDHE-RSA-AES256-SHA384       ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             ECDHE-RSA-AES256-GCM-SHA384   ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             DHE-RSA-AES256-SHA            DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             DHE-RSA-AES256-GCM-SHA384     DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             ECDHE-RSA-AES128-SHA256       ECDH-256 bits  128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             DHE-RSA-AES128-SHA            DH-1024 bits   128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             DHE-RSA-AES128-GCM-SHA256     DH-1024 bits   128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

             

              * TLSV1_1 Cipher Suites:

                  Preferred:

                             ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                  Accepted:

                             ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             DHE-RSA-AES256-SHA            DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             DHE-RSA-AES128-SHA            DH-1024 bits   128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

             

              * TLSV1 Cipher Suites:

                  Preferred:

                             ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                  Accepted:

                             ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             DHE-RSA-AES256-SHA            DH-1024 bits   256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             AES256-SHA                    -              256 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             DHE-RSA-AES128-SHA            DH-1024 bits   128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

                             RC4-SHA                       -              128 bits      HTTP 302 Found - https://kunde.comdirect.de/pbl/

             

              * SSLV3 Cipher Suites:

                  Server rejected all cipher suites.

            • 3. Re: SSL Intercept _ SSLV3
              feickholt

              I've tested this on MWG 7.4.2

              • 4. Re: SSL Intercept _ SSLV3
                M Bagheryan M

                I am still using SSL3 off in my MWG after the poodle issue and over this site which I checked already in my lab, no error shown.

                 

                I still didn't find any other clue on it.

                • 5. Re: SSL Intercept _ SSLV3

                  Hello Frank -

                   

                  My findings are same as MBM's - I tested using 7.4.2.6 and 7.5.1 = no errors.

                  Make sure your settings align with the doc mentioned by MBM - this actually resolves quite a few SSL related issues, so please double check. This is the 1st thing we here in support will ask about, regarding your SSL scanner settings.

                   

                  If the issue persists, then the next step is to run a tcpdump on the MWG and in the capture, observe the cipher exchange between MWG and the server.

                   

                  How does the server respond to MWG's CLIENT HELLO?

                  Is there a mismatch between the ciphers that MWG supports and what the server wants to use?

                  Do they agree on a cipher only to see an error after that?

                   

                  Here is a rundown of the general order of steps:

                   

                  When MWG contacts the server, it will suggest the most secure version of ssl/tls which IT, not the client, is configured for. These settings are found in two places via the MWG UI: Policy > settings > SSL Scanner:

                  1) "Certificate Verification"

                  2) "Enable content Inspection"

                   

                  - Those settings apply to the connection between the Web Gateway and server ONLY -

                   

                  Lets say MWG wants to use TLS 1.2 but the site does not support it.The webserver will send an SSL handshake failure in response to the MWG's Client Hello. Usually at this point a renegotiation process would begin where MWG would present a different version of SSL/TLS in a new Client HELLO - if the site does not support renegotiation, then of course things stop right there.

                   

                  I see the site in question here does support TLS 1.2 and renegotiation.

                  Here is the ssllabs report on the site:

                  SSL Server Test: kunde.comdirect.de (Powered by Qualys SSL Labs)

                   

                  Hope this helps. If not, open a case with us if you haven't already, and we'd be happy to take a look at a capture of this-

                   

                  -Brent