Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

HTTPS SSL client certificate issue in explicit mode

Hi,

I have issue in cisco ironport explicit forwaerd mode where in client is trying to connect to external website, In response from the server certificate in reaching to client.

HTTPS proxy mode is not enabled in WSA. Client is using software to connect to the server. I have attached wireshark output in which ssl handshake saying certificate length 0.

Website is https://esrs-core.emc.com.

OS version is 7.5.1.

Please suggest.

Regards

Chirag

6 REPLIES
New Member

HTTPS SSL client certificate issue in explicit mode

Sorry i mean certificate is not reaching to client.

Cisco Employee

HTTPS SSL client certificate issue in explicit mode

Chirag,

If HTTPS proxy is not enabled, then you will have to tunnel the traffic out.  You may add port 443 as an HTTP Connect port in the Protocols sections in the Access Policies.

-Vance

New Member

HTTPS SSL client certificate issue in explicit mode

Hi Vance,

You mean include https protocol in access policy. if it is then its already included. (http, https and ftp). please confirm i understood it correctly.

Regards

Chirag

Cisco Employee

HTTPS SSL client certificate issue in explicit mode

I believe HTTP , HTTPS, and FTP you mentioned are shown with radio buttons next to them to BLOCK is that correct?  Make sure it is not blocked.  On the field below that, make sure port "443" is included as an "HTTP Connect Port."

-Vance

New Member

HTTPS SSL client certificate issue in explicit mode

Hi Vance,

In http outbound tunnel is allowed with ports 1- 65535. Here issue is while communication between client and server certificate length was 0 which means SSL communication is not happening properly

Regards

Chirag

Cisco Employee

HTTPS SSL client certificate issue in explicit mode

Chirag,

I would recommend that you open a TAC case for them to troubleshoot as to what the issue may be.  If you are tunnelling the traffic out, the WSA should not be modifying any certificate information.

-Vance

762
Views
0
Helpful
6
Replies
CreatePlease login to create content