Solutions

Access to SSL sites fails after installing Microsoft patch KB980436

Solutions ID:    KB4015
Version:    3.0
Status:    Published
Published date:    09/15/2010
Updated:    02/04/2011
 

Problem Description

If users are reporting that access to SSL resources fail through the proxy, and nothing in your environment or proxy configuration has changed, please check the following items:

On the Proxy:
Look at the event log on the ProxySG for the following message:

2010-09-08 19:45:31+05:30IST  "error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet length"  0 310000:1   ../ssl_proxy/sslproxy_util.cpp:330

This error is repeated throughout the eventlog, and it indicates that the server has responded with a SSL Server Hello response containing more data than the ProxySG expects.  As a result, the response from the server is considered by the proxy to be invalid and the proxy sends a reset (RST) to the server.

On client workstations:
Determine if Microsoft KB980436 has been installed onto affected Windows systems.  Details on this patch for Windows XP are available at http://www.microsoft.com/downloads/details.aspx?familyid=FF00381C-E74B-48E5-9DD9-34DBEDD906A2&displaylang=en

Packet capture:
This is the most telling piece of information.  In the client hello or server hello packets, you will see "extension: renegotiation_info".  This indicates that either the server or the client (depending on which 'hello' packet you're examining) have been patched to support the TLS change.  The proxy's typical response is to close the connection because the hello is parsed as being improperly formatted.

 

Resolution

The issue has been reported to engineering.  Please see the status below for the various SGOS branches.

SGOS 6 code branch:  The issue is resolved in SGOS 6.1.1.1 or later.  SGOS 6.1.1.1 and the accompanying release notes can be downloaded from https://bto.bluecoat.com/download/product/5351  .  For information on how to upgrade SGOS, please see KB3608 titled "How do I upgrade SGOS on my ProxySG?"

SGOS 5.5 code branch:   The issue is resolved in SGOS 5.5.4.1 or later.  The issue is documented in the release notes as bug 140721 .   SGOS 5.5.4.1 and the accompanying release notes can be downloaded from https://bto.bluecoat.com/download/product/41  .  For information on how to upgrade SGOS, please see KB3608 titled "How do I upgrade SGOS on my ProxySG?"

SGOS 5.4 code branch:  Support for the changes to SSL are included in SGOS 5.4.5.1 or later.  If you are intercepting SSL, Blue Coat recommends that you upgrade to SGOS 5.4.6.1.  SGOS 5.4.5.1 and 5.4.6.1 can be downloaded from https://bto.bluecoat.com/download/product/17 .  For information on how to upgrade SGOS, please see KB3608 titled "How do I upgrade SGOS on my ProxySG?"

SGOS 5.3 code branch:  Please upgrade to a later version.

SGOS 4.3 code branch:  The issue is resolved in SGOS 4.3.4.1.  The issue is documented in the release notes as bug 140507.  SGOS 4.3.4.1 and the accompanying release notes can be downloaded from https://bto.bluecoat.com/download/product/13 .  For information on how to upgrade SGOS, please see KB3608 titled "How do I upgrade SGOS on my ProxySG?"


WORKAROUND

Until new versions of SGOS are available, here are some options to allow HTTPS traffic to flow through your proxy:

  • In explicit proxy deployments, disable protocol detection for with the following local policy.  (Please see KB3495 for instructions on how to add CPL to your local policy file.)

<Proxy>
http.method=CONNECT url.port=443 detect_protocol(no)

 

  • In transparent proxy deployments, disable any SSL interception layers in policy and change the HTTPS proxy service to use the 'TCP Tunnel' service instead of 'SSL'
  • Roll back the Microsoft Windows update (KB980436) that includes this patch.  This will only work if the issue is caused by a client that has been patched. 


ADDITIONAL INFORMATION 
 
This is a known issue in scenarios where servers or clients have been patched to support a changed to the TLS/SSL specification.  This specification change came about after a vulnerability in the TLS/SSLv3 handshake process was discovered.  Initially reported in December of 2009, Vulnerability CVE-2009-3555 represents a method for a remote attacker to act as a man in the middle as a user negotiates the SSL handshake with an HTTPS site.  Based on this information, Blue Coat published SA44.

The IETF then published the 'TLS Renegotiation Extension' as a part of RFC 5746.

Since this RFC was ratified, Blue Coat product engineering have been working on supporting the new specifications for SSL version 3 and TLS, while ensuring that supporting the changes in the standard will support clients and servers who have patched software as well as those who do not.

Other software manufacturers have also been releasing patches.  Among them, Microsoft, released their patches (both client and server) to support TLS extensions on August 10, 2010.  As a result of Microsoft's patch, SSL interception often fails because the client and the web server support the changed specification while the proxy does not.
 


 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question