QUESTION - SSL/TLS error in fixit window

The SSL/TLS Error Page shows all SSL errors, which can occur on a TLS/SSL connection.

Those are publicly known issues like a "Internal Error". 

Currently i am looking for a good source with overview of all TLS errors. 

Ian,

I confirm it is a bug. I noticed it 2 weeks ago and reported it but I cant remember the thread but someone confirmed it is a bug and will be fixed before GA.

Regards

0:443 is a bug and will be fixed, I think in EAP2.

As far as I know there will be other changes to this mechanism in EAP2 and possibly EAP3.

The number 19006 corresponds to the log message ID that will also appear alongside the corresponding log entry in log viewer.

We are still working through all the various internal error states that can occur, which is why in these early versions of the product we are seeing a lot of errors grouped under the same IDs. Some of these are due to outstanding issues that we encounter as the product is exposed to more and more different client/server implementations of SSL/TLS, and again we're working through them. We want to end up with the right balance of detailed error state information, without confusing systems with handling for states that will never occur post-release and which cannot be remedied by customer action. 

EAP2, which should be released very soon, has made significant improvements in this area - including the fix for the error that lumps so much traffic together as FTP or 0:443.

Here's a list of the potential error codes that you may see going forward. This list may change. Also, not all error types will appear in the Control Center - only those errors which are likely to be persistent, and therefore might require a site or user to be excluded:

19006 - Internal error - something unexpected happened during the connection - we hope to whittle these down so that they only happen extremely rarely in the field

19007 - Blocked by profile: Certificate validation failed - the server's certificate was invalid but the policy requires certificate validation - signature couldn't be verified, expired or before effective date, no matching hostname, etc

19008 - Blocked by profile: Client certificate required - connections that require a client certificate cannot be decrypted, but in some situations this cannot be established until after we have started interception and it is too late to back off

19009 - Blocked by profile: Compression or other undecryptable options used - TLS compression is now deprecated as an insecure feature of TLS because the relative lengths of compressed payloads can be used to learn information about the content of the unencrypted data so it is not supported by XStream SSL/TLS

19011 - Blocked by profile: RSA key size

19012 - Blocked by profile: TLS version

19013 - Blocked by profile: Negotiated cipher suite

19015 - The connection was blocked by Advanced Threat Protection, based on the SNI

19017 - An error occurred in the TLS handshake

19018 - The connection was dropped/rejected by the client application during the handshake. See the 'Message' field for more information. (This message is most commonly seen when the client application rejects the re-signed TLS certificate. You may see TLS handshake fatal alert: unknown CA(48) or TLS handshake fatal alert: certificate unknown(46), or possibly other TLS alerts. The alert code is sent by the client, and is defined in the TLS protocol standards. The exact response depends on how the client software was written.)