HTTPS REQUEST : tls_version="SSL_0"

Hello,

I am currently having a problem accessing a website: www.capfun.com
This problem only occurs on this website.

Logs when trying to access the website:

2023-03-15 11:32:46 Allow 192.168.7.10 85.233.223.141 https/tcp 60522 443 VLAN Data WAN - FIBER FTTH - FREE HTTPS Request (HTTPS-proxy - Surfweb-00) HTTPS-Client.Standard.4 proc_id= "https-proxy" rc="548" msg_id="2CFF-0000" proxy_act="HTTPS-Client.Standard.4" tls_profile="TLS-Client-HTTPS.Standard" tls_version="SSL_0" sni="www.capfun .com" cn="" cert_issuer="" cert_subject="" action="allow" app_id="0" app_cat_id="0" sent_bytes="517" rcvd_bytes="0" geo_dst="ENG" Traffic

2023-03-15 11:32:46 Allow 192.168.7.10 85.233.223.141 https/tcp 60521 443 VLAN Data WAN - FIBER FTTH - FREE HTTPS Request (HTTPS-proxy - Surfweb-00) HTTPS-Client.Standard.4 proc_id= "https-proxy" rc="548" msg_id="2CFF-0000" proxy_act="HTTPS-Client.Standard.4" tls_profile="TLS-Client-HTTPS.Standard" tls_version="SSL_0" sni="www.capfun .com" cn="" cert_issuer="" cert_subject="" action="allow" app_id="0" app_cat_id="0" sent_bytes="517" rcvd_bytes="0" geo_dst="ENG" Traffic

I can see that it does not detect the TLS version and the certificate.

I checked the HTTPS proxy : No ban set

TLS settings
Minimum protocol version : TLS v1.0
OCSP : N/A
PFS Ciphers : N/A
TLS Compliance : Not enforced

I tried to add a packet rule with the IP of the website, without success.
I manage several Firebox with the same rules and this problem only occurs on this one.

Firebox T35 (Fireware OS v12.5.11.B666392).
The others Firebox manage have the same version.

Do you have an idea ? Problem with TLS configuration or certificate?

Thanks in advance for your help !

Best Answer

  • It sure seems that something upstream is blocking this HTTPS access.

    Contact your ISP and see if they can help figure this out.

    One other thing to try is to connect directly to your ISP connection with a laptop and see if you can get to that web site.
    If so, then it is the firewall somehow.

Answers

  • A HTTPS packet filter To: 85.233.223.141 should work.
    Since it doesn't, it suggests that something upstream may be blocking this access.

    Try a tracert to the IP addr, and see if it looks like the tracert is being blocked

    From my location, the 10th hop is 85.233.223.141.

    Could be an ISP issue.

  • Hello Bruce,

    Thanks for your quick reply.
    The tracert is not blocked. From my location, it's the 7th hop.

  • Logs on a Firebox where the connection is working :

    2023-03-15 11:31:11 Allow 192.168.58.106 85.233.223.141 https/tcp 51749 443 LAN-x WAN - 4G - BOUYGUES HTTPS Request (HTTPS-proxy-SurfWeb-00) HTTPS-Client.Standard.T35 proc_id="https-proxy" rc="548" msg_id="2CFF-0000" proxy_act="HTTPS-Client.Standard.T35" tls_profile="TLS-Client-HTTPS.Standard" tls_version="TLS_V13" sni="www.capfun.com" cn="www.capfun.com" cert_issuer="CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR" cert_subject="CN=www.capfun.com" action="allow" app_id="0" app_cat_id="0" sent_bytes="5360" rcvd_bytes="489669" geo_dst="FRA" Traffic

  • Notice that the rcvd_bytes="0", thus there will be no info on the TLS version or the web site cert.

    Perhaps this is a MTU issue?
    Try lowering the MTU on a test PC to 1400, and see if that helps.

  • Changing the MTU to 1400 did not allow access to the website.

  • Why are we seeing a old ssl version, tls_version="SSL_0

  • The HTTPS proxy did not get (see) any packets from the web server - so I think that it is just incorrect info in the log entry as the SSL version is unknown.

  • Hello Bruce,

    Thanks for these responses.
    I thought of connecting directly to the ISP router. I can't get to the site right away, I'll do some testing as soon as possible and keep you informed.

  • Tests carried out live on the ISP router, impossible to access the site. I opened a ticket with the ISP.
    Thanks again for your time and clarification.

Sign In to comment.