Guest

Preview Tool

Cisco Bug: CSCuw50244 - HTTPS sites fail with TLS 1.2 on 9.0 if server hello has EC extension

Last Modified

Mar 08, 2018

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

9.0.0-485

Description (partial)

Symptom:
Access to HTTPS websites which send "Extension: elliptic_curves" in server hello fail when only TLS 1.2 is used

Access logs will show 502, like below, when access to the HTTPS website/s fails:
------------------------------------------ 
1443689374.008 625 10.150.52.63 TCP_MISS/502 39 CONNECT tunnel://www.example.com:443/ - DIRECT/www.example.com - DECRYPT_xxxx_xx-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_edu,1.5,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_edu,-,"-","-","Unknown","Unknown","-","-",0.50,0,-,"-","-",-,"-",-,-,"-","-"> -

Conditions:
1) WSA running AsyncOS version 9.0.0-485
2) TLS 1.2 enabled on WSA
3) Fallback disabled on WSA (default)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.