Hi folks,
I have been testing the SSL/TLS reports that show up in the GUI. When I opened this window earlier today, the error field was empty, now it has a value.
What does the value mean?
Ian
Hi folks,
I have been testing the SSL/TLS reports that show up in the GUI. When I opened this window earlier today, the error field was empty, now it has a value.
What does the value mean?
Ian
The SSL/TLS Error Page shows all SSL errors, which can occur on a TLS/SSL connection.
Those are publicly known issues like a "Internal Error".
Currently i am looking for a good source with overview of all TLS errors.
__________________________________________________________________________________________________________________
The SSL/TLS Error Page shows all SSL errors, which can occur on a TLS/SSL connection.
Those are publicly known issues like a "Internal Error".
Currently i am looking for a good source with overview of all TLS errors.
__________________________________________________________________________________________________________________
The number 19006 corresponds to the log message ID that will also appear alongside the corresponding log entry in log viewer.
We are still working through all the various internal error states that can occur, which is why in these early versions of the product we are seeing a lot of errors grouped under the same IDs. Some of these are due to outstanding issues that we encounter as the product is exposed to more and more different client/server implementations of SSL/TLS, and again we're working through them. We want to end up with the right balance of detailed error state information, without confusing systems with handling for states that will never occur post-release and which cannot be remedied by customer action.
EAP2, which should be released very soon, has made significant improvements in this area - including the fix for the error that lumps so much traffic together as FTP or 0:443.
Here's a list of the potential error codes that you may see going forward. This list may change. Also, not all error types will appear in the Control Center - only those errors which are likely to be persistent, and therefore might require a site or user to be excluded:
19006 - Internal error - something unexpected happened during the connection - we hope to whittle these down so that they only happen extremely rarely in the field
19007 - Blocked by profile: Certificate validation failed - the server's certificate was invalid but the policy requires certificate validation - signature couldn't be verified, expired or before effective date, no matching hostname, etc
19008 - Blocked by profile: Client certificate required - connections that require a client certificate cannot be decrypted, but in some situations this cannot be established until after we have started interception and it is too late to back off
19009 - Blocked by profile: Compression or other undecryptable options used - TLS compression is now deprecated as an insecure feature of TLS because the relative lengths of compressed payloads can be used to learn information about the content of the unencrypted data so it is not supported by XStream SSL/TLS
19011 - Blocked by profile: RSA key size
19012 - Blocked by profile: TLS version
19013 - Blocked by profile: Negotiated cipher suite
19015 - The connection was blocked by Advanced Threat Protection, based on the SNI
19017 - An error occurred in the TLS handshake
19018 - The connection was dropped/rejected by the client application during the handshake. See the 'Message' field for more information. (This message is most commonly seen when the client application rejects the re-signed TLS certificate. You may see TLS handshake fatal alert: unknown CA(48) or TLS handshake fatal alert: certificate unknown(46), or possibly other TLS alerts. The alert code is sent by the client, and is defined in the TLS protocol standards. The exact response depends on how the client software was written.)