Troubleshooting Client Hello Drops When Using HTTPS Content Filtering
03/26/2020 
12 
11302
DESCRIPTION:
Troubleshooting Client Hello Drops When Using HTTPS Content Filtering.
RESOLUTION:
HTTPS Pages not displaying or Apps that use HTTPS 443 traffic being dropped.
With the use of TLS HTTPS Content Filtering looks for SNI Extension in Client Hello or Certificate Common Name to block HTTPS Websites.
Steps to troubleshoot this issue begin with a packet capture so we can identify that the client hello is the packet being dropped and preventing the page from loading or preventing a portion of the page to load. This can also affect smartphones from updating Apps that cannot via https.
- Server Name Indication (SNI) is an extension to the SSL/TLS protocols that lets an SSL/TLS client (for example, a browser) indicate the exact hostname it tries to connect to at the start of the SSL/TLS handshaking process.
- This is shown below in a packet capture from the Packet Monitor of the SonicWall. You will want to select on the packet that is being dropped and check the SSL Extensions for server_name and again expain to get the SNI name.
HTML/Text version of the same packet:
*Packet number: 40*
Header Values:
Bytes captured: 259, Actual Bytes on the wire: 259
Packet Info(Time:04/15/2015 10:09:26.064):
in:X0*(interface), out:--, DROPPED, Drop Code: 85(Enforced firewall rule), Module Id: 25(network), (Ref.Id: _6328_txGsIboemfJqQlu), 16:12)
Ethernet Header
Ether Type: IP(0x800), Src=[00:1b:8f:27:6e:40], Dst=[c2:ea:e4:6a:bb:a6]
IP Packet Header
IP Type: TCP(0x6), Src=[10.10.20.155], Dst=[93.184.215.191]
TCP Packet Header
TCP Flags = [ACK,PSH,], Src=[49405], Dst=[443], Checksum=0xd141
Application Header
HTTPS
Value:[0]
Hex and ASCII dump of the packet:
c2eae46a bba6001b 8f276e40 08004500 00f540fc 40007f06 *...j.....'n@..E...@.@...*
65ea0a0a 149b5db8 d7bfc0fd 01bb1b39 c67f38d7 fe6b5018 *e.....]........9..8..kP.*
0100d141 00001603 0100c801 0000c403 03a64014 6ab8efa3 *...A..............@.j...*
063c7bb4 db2b9473 a02eb29b a88d92b3 b06f7718 07c128d0 *.<{..+.s.........ow...(.*
6e000018 c02bc02f c00ac009 c013c014 00330032 0039002f *n....+./.........3.2.9./*
0035000a 01000083 0000001a 00180000 1574696c 65732e63 *.5...............tiles.c*
646e2e6d 6f7a696c 6c612e6e 6574ff01 00010000 0a000800 *dn.mozilla.net..........*
06001700 18001900 0b000201 00002300 00337400 00001000 *..............#..3t.....*
23002105 68322d31 35056832 2d313402 68320873 7064792f *#.!.h2-15.h2-14.h2.spdy/*
332e3108 68747470 2f312e31 00050005 01000000 00000d00 *3.1.http/1.1............*
12001004 01050102 01040305 03020304 020202 *................... *
Once you have this information you can check the server name against the categories that are being blocked. In this case the Category 49: Freeware/Software Downloads is set to block.
Add mozilla.net or tilles.cdn.mozilla.net in the Custom Allowed list allowed the traffic to pass.
How to Test:
Reconnect to the site and start a new capture (watching for any dropped packets) if the drops are for client hellos repeat the steps above.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
