Troubleshooting guide for TLS handshake errors.
I have an intermittent problem that when a user browses to an HTTPS web site, they get a block page. After refreshing the web site, the user can access it.
It may be possible that the Smoothwall is using an older cached certificate with outdated ciphers to make the HTTPS connection.
Browse to the Guardian > HTTPS Inspection > Settings page.
Find the option labeled cached certificates and click the clear and restart button.
The web may be unavailable for a second or two as the proxy service restarts.
If this does not clear the issue, a TLS handshake error with the server is an upstream issue. It means the server hosting the website does not support TLS.1.1 or 1.2 which is what the Smoothwall uses, and so they cannot agree on a means of secure handshake.
If this is an intermittent problem, the hosting server is likely to be in a cluster, where some have TLS 1.1 or 1.2 enabled and some do not.
You can check what an upstream web server is using by going to https://www.ssllabs.com/ssltest/ and entering the website address. This will test the upstream server and show what protocols are available / supported.
The only way to connect a web server that does not have the ability to handshake with the Smoothwall is to create a rule to not inspect it in HTTPS policy. Full details on how to create an HTTPS policy can be found in the Smoothwall help site https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/https.htm.
|Last updated:||Author:||Contributions by:|
|24th March 2017||Suzanne Knight||Robert Wilson|