I keep hoping to reach a point where UTM Https Inspection provides the same connectivity as the major browsers. There always seems to be one problem after another.
My current problem seems to be with OpenSSL versions. UTM 9.506-2 uses OpenSSL 1.02j-fips. OpenSSL is encouraging everyone to move to OpenSSL 1.1.1, unless you need FIPS compatibility. For FIPS users, you are stuck on version 1.0.2 until a new FIPS module is written and approved by the US Government. Of course, FIPS-compatibility is a requirement for systems sold into the US Government, and the US Government is so big that everyone wants a piece of that action.
Unfortunately, I am finding systems that will not talk to old versions of OpenSSL. The most recent problem is with splunk.com. Testing outside of UTM, using several versions of OpenSSL binaries, (openssl s_client -connect server:port), produces these results:
- I can connect easily with OpenSSL 1.1.1,
- but cannot connect at all using OpenSSL 1.1.0 or 1.0.2.
I have analyzed the site with the server test tool at OpenSSL.com, and it looks like there should be a compatible ciphersuite, but SSL Labs and OpenSSL identify ciphersuites a little differently, so it is hard to be certain. If it is not a ciphersuite problem, I don't know where the problem lies.
TLS Encryption has been in chaos in recent years, as white-hat researchers keep finding problems with different configuration components, and because TLS 1.3 is being rolled out. It appears that the problem sites are running a version of Apache that has been updated to work around all of the known problems, but this has created problems for older stacks.
At this point, I cannot explain the symptoms. But of course, Chrome and IE 11 do not have a problem connecting when HTTPS inspection is off, because they do not use OpenSSL.
This thread was automatically locked due to age.