0 Replies Latest reply on Feb 27, 2017 9:26 PM by alex.shpilman

    ALPN issue on MWG 7.7.0.3 with Chrome

    alex.shpilman

      Hi,

       

      We're running MWG version 7.7.0.3, lately we had a few sites that don't work with Chrome when SSL scanning is enabled, IE works fine.

       

      The SSL error message below displayed:

       

      The SSL handshake could not be performed.

      Host: www.tvnz.co.nz

      Reason: error:14094460:SSL routines:ssl3_read_bytes:reason(1120):SSL error at server handshake:state 25:Application response 500 handshakefailed

       

      A Wireshark capture suggests that the remote site rejects the connection with "No application Protocol", looks like the MWG is stripping the ALPN

       

      MWG to Server  Client Hello:

      Secure Sockets Layer

          TLSv1.2 Record Layer: Handshake Protocol: Client Hello

              Content Type: Handshake (22)

              Version: TLS 1.0 (0x0301)

              Length: 512

              Handshake Protocol: Client Hello

                  Handshake Type: Client Hello (1)

                  Length: 508

                  Version: TLS 1.2 (0x0303)

                  Random

                  Session ID Length: 0

                  Cipher Suites Length: 172

                  Cipher Suites (86 suites)

                  Compression Methods Length: 1

                  Compression Methods (1 method)

                  Extensions Length: 295

                  Extension: server_name

                      Type: server_name (0x0000)

                      Length: 19

                      Server Name Indication extension

                  Extension: ec_point_formats

                      Type: ec_point_formats (0x000b)

                      Length: 4

                      EC point formats Length: 3

                      Elliptic curves point formats (3)

                  Extension: elliptic_curves

                      Type: elliptic_curves (0x000a)

                      Length: 10

                      Elliptic Curves Length: 8

                      Elliptic curves (4 curves)

                  Extension: SessionTicket TLS

                      Type: SessionTicket TLS (0x0023)

                      Length: 0

                      Data (0 bytes)

                  Extension: signature_algorithms

                      Type: signature_algorithms (0x000d)

                      Length: 20

                      Signature Hash Algorithms Length: 18

                      Signature Hash Algorithms (9 algorithms)

                  Extension: Heartbeat

                      Type: Heartbeat (0x000f)

                      Length: 1

                      Mode: Peer allowed to send requests (1)

                  Extension: next_protocol_negotiation

                      Type: next_protocol_negotiation (0x3374)

                      Length: 0

                  Extension: Application Layer Protocol Negotiation

                      Type: Application Layer Protocol Negotiation (0x0010)

                      Length: 5

                      ALPN Extension Length: 3

                      ALPN Protocol

                          ALPN string length: 2

                          ALPN Next Protocol: h2

                  Extension: Padding

                      Type: Padding (0x0015)

                      Length: 200

                      Padding Data: 000000000000000000000000000000000000000000000000...

       

      Original Client Hello when disabling the proxy:

      Secure Sockets Layer

          TLSv1.2 Record Layer: Handshake Protocol: Client Hello

              Content Type: Handshake (22)

              Version: TLS 1.0 (0x0301)

              Length: 245

              Handshake Protocol: Client Hello

                  Handshake Type: Client Hello (1)

                  Length: 241

                  Version: TLS 1.2 (0x0303)

                  Random

                  Session ID Length: 32

                  Session ID: d7f1f94eb49dbf9c52a0fc15313a13c5ce1b8654e289f256...

                  Cipher Suites Length: 32

                  Cipher Suites (16 suites)

                  Compression Methods Length: 1

                  Compression Methods (1 method)

                      Compression Method: null (0)

                  Extensions Length: 136

                  Extension: Unknown 6682

                      Type: Unknown (0x1a1a)

                      Length: 0

                      Data (0 bytes)

                  Extension: renegotiation_info

                      Type: renegotiation_info (0xff01)

                      Length: 1

                      Renegotiation Info extension

                          Renegotiation info extension length: 0

                  Extension: server_name

                      Type: server_name (0x0000)

                      Length: 31

                      Server Name Indication extension

                  Extension: Extended Master Secret

                      Type: Extended Master Secret (0x0017)

                      Length: 0

                  Extension: SessionTicket TLS

                      Type: SessionTicket TLS (0x0023)

                      Length: 0

                      Data (0 bytes)

                  Extension: signature_algorithms

                      Type: signature_algorithms (0x000d)

                      Length: 20

                      Signature Hash Algorithms Length: 18

                      Signature Hash Algorithms (9 algorithms)

                  Extension: status_request

                      Type: status_request (0x0005)

                      Length: 5

                      Certificate Status Type: OCSP (1)

                      Responder ID list Length: 0

                      Request Extensions Length: 0

                  Extension: signed_certificate_timestamp

                      Type: signed_certificate_timestamp (0x0012)

                      Length: 0

                      Data (0 bytes)

                  Extension: Application Layer Protocol Negotiation

                      Type: Application Layer Protocol Negotiation (0x0010)

                      Length: 14

                      ALPN Extension Length: 12

                      ALPN Protocol

                          ALPN string length: 2

                          ALPN Next Protocol: h2

                          ALPN string length: 8

                          ALPN Next Protocol: http/1.1

                  Extension: channel_id

                      Type: channel_id (0x7550)

                      Length: 0

                      Data (0 bytes)

                  Extension: ec_point_formats

                      Type: ec_point_formats (0x000b)

                      Length: 2

                      EC point formats Length: 1

                      Elliptic curves point formats (1)

                  Extension: elliptic_curves

                      Type: elliptic_curves (0x000a)

                      Length: 10

                      Elliptic Curves Length: 8

                      Elliptic curves (4 curves)

                  Extension: Unknown 56026

                      Type: Unknown (0xdada)

                      Length: 1

                      Data (1 byte)

       

      Thanks.