Troubleshooting Client Hello Drops When Using HTTPS Content Filtering
03/26/2020 12 12818
DESCRIPTION: Troubleshooting Client Hello Drops When Using HTTPS Content Filtering.
HTTPS Pages not displaying or Apps that use HTTPS 443 traffic being dropped.
With the use of TLS HTTPS Content Filtering looks for SNI Extension in Client Hello or Certificate Common Name to block HTTPS Websites.
Steps to troubleshoot this issue begin with a packet capture so we can identify that the client hello is the packet being dropped and preventing the page from loading or preventing a portion of the page to load. This can also affect smartphones from updating Apps that cannot via https.
Server Name Indication (SNI) is an extension to the SSL/TLS protocols that lets an SSL/TLS client (for example, a browser) indicate the exact hostname it tries to connect to at the start of the SSL/TLS handshaking process.
This is shown below in a packet capture from the Packet Monitor of the SonicWall. You will want to select on the packet that is being dropped and check the SSL Extensions for server_name and again expain to get the SNI name.