Accessing indeed.com
M270 with Fireware 12.5.1
I use Firefox version 79 to I access a publicly available resume at (not the entire URL) employers.indeed.com/c/candidates/resume?...
Firefox gives up during TLS handshake after trying for x seconds. It stops trying and I get a blank page. Refreshing (F5) does not help as it still gives a blank page. Edge browser does the same thing (blank page). This is the error I got:
-> 99.86.33.226:443 [A trw] {B}: fatal write error (errno=0: none | sslerr=337690831: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown). aborting channel. Debug"
-> 99.86.129.19:443 [A trw] {B}: fatal write error (errno=0: none | sslerr=337690831: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown). aborting channel. Debug"
-> 99.86.129.143:443 [A trw] {B}: fatal write error (errno=0: none | sslerr=337690831: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown). aborting channel. Debug"
I can only open the web page successfully with Internet Explorer 11 (from the same computer). No errors on the M270.
I noticed "cloudfront.net" in the status bar during TLS handshake so I excluded cloudfront.net in the Predefined content inspection exceptions. Firefox and Edge browser can access the site with cloudfront.net exclusion selected.
I'm puzzled why only IE browser can access the site without excluding cloudfront.net from content inspection?
Comments
TLS=0 means that the firewall sees a version of TLS that it can't decode or doesn't support.
Try checking your TLS profile:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/tls_profiles_about_c.html
Make sure PFS is set to allowed, and that you're allowing TLS1.1. 1.2.
If your issue persists, I'd suggest opening a support case so that the support team can look into this in more detail.
-James Carson
WatchGuard Customer Support
I'm using default TLS profile (TLS-Client-HTTPS.Standard).
Minimum protocol is TLS 1.0
PFS is allowed
Why can't Firefox and Edge access the site but IE has no problem? All traffic comes from the same PC.
As I recall, your web browser will try to use the lowest TLS version it and the web site supports.
You can change Firefox and IE to use a higher level of TLS.
Here is an older article on doing this, but I believe that it is still correct.
How to Configure TLS 1.1 and 1.2
https://www.trumarkonline.org/docs/default-source/pdfs/all-browsers.pdf?sfvrsn=2
Also see this:
Major Browsers Coordinated on Deprecating TLS 1.0 and 1.1
"the four major browsers have uniformly announced that they will deprecate TLS 1.0 and 1.1 starting in 2020."
https://www.entrustdatacard.com/blog/2018/november/deprecating-tls
This is my browser settings. I have not made any changes for years.
IE 11:
Use TLS 1.2 (checked). The rest is unchecked.
FF 79:
security.tls.version.min 3
security.tls.version.max 4
I think ver 3 is TLS 1.2 and ver 4 is TLS 1.3
If you have a current support contract - time for a support incident - to get help in understanding this.