Troubleshooting Client Hello Drops When Using HTTPS Content Filtering

06/20/2022 20 People found this article helpful 486,142 Views

Description

Troubleshooting Client Hello Drops When Using HTTPS Content Filtering.

Resolution

HTTPS Pages not displaying or Apps that use HTTPS 443 traffic are being dropped.

With the use of TLS HTTPS Content Filtering looks for SNI Extension in Client Hello or Certificate Common Name to block HTTPS Websites.

Steps to troubleshoot this issue begin with a packet capture so we can identify that the client hello is the packet being dropped and preventing the page from loading or preventing a portion of the page to load. This can also affect smartphones by updating Apps that cannot via HTTPS.

Server Name Indication (SNI) is an extension to the SSL/TLS protocols that lets an SSL/TLS client (for example, a browser) indicate the exact Hostname it tries to connect to at the start of the SSL/TLS handshaking process.
This is shown below in a packet capture from the Packet Monitor of the SonicWall. You will want to select on the packet that is being dropped and check the SSL Extensions for server_name and again explain to get the SNI name.

HTML/Text version of the same packet:

*Packet number: 40*
Header Values:
Bytes captured: 259, Actual Bytes on the wire: 259
Packet Info(Time:04/15/2015 10:09:26.064):
in:X0*(interface), out:--, DROPPED, Drop Code: 85(Enforced firewall rule), Module Id: 25(network), (Ref.Id: _6328_txGsIboemfJqQlu), 16:12)
Ethernet Header
Ether Type: IP(0x800), Src=[00:1b:8f:27:6e:40], Dst=[c2:ea:e4:6a:bb:a6]
IP Packet Header
IP Type: TCP(0x6), Src=[10.10.20.155], Dst=[93.184.215.191]
TCP Packet Header
TCP Flags = [ACK,PSH,], Src=[49405], Dst=[443], Checksum=0xd141
Application Header
HTTPS
Value:[0]
Hex and ASCII dump of the packet:
c2eae46a bba6001b 8f276e40 08004500 00f540fc 40007f06 *...j.....'n@..E...@.@...*
65ea0a0a 149b5db8 d7bfc0fd 01bb1b39 c67f38d7 fe6b5018 *e.....]........9..8..kP.*
0100d141 00001603 0100c801 0000c403 03a64014 6ab8efa3 *...A..............@.j...*
063c7bb4 db2b9473 a02eb29b a88d92b3 b06f7718 07c128d0 *.<{..+.s.........ow...(.*
6e000018 c02bc02f c00ac009 c013c014 00330032 0039002f *n....+./.........3.2.9./*
0035000a 01000083 0000001a 00180000 1574696c 65732e63 *.5...............tiles.c*
646e2e6d 6f7a696c 6c612e6e 6574ff01 00010000 0a000800 *dn.mozilla.net..........*
06001700 18001900 0b000201 00002300 00337400 00001000 *..............#..3t.....*
23002105 68322d31 35056832 2d313402 68320873 7064792f *#.!.h2-15.h2-14.h2.spdy/*
332e3108 68747470 2f312e31 00050005 01000000 00000d00 *3.1.http/1.1............*
12001004 01050102 01040305 03020304 020202 *................... *

Once you have this information you can check the server name against the categories that are being blocked using this website: SonicWall Internet Security: SonicWall Content Filtering Service Software Protection

In this case, Category 49: Freeware/Software Downloads is set to block.

Add mozilla.net or tilles.cdn.mozilla.net in the Custom Allowed list to allow the traffic to pass.

Use the following KBs to know more about the Allowed and Forbidden lists:

How to Test:

Reconnect to the site and start a new capture (watching for any dropped packets) if the drops are for client hellos repeat the steps above.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Troubleshooting Client Hello Drops When Using HTTPS Content Filtering

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch