Troubleshooting : Solutions by issue type : Connectivity issues : Checking the SSL/TLS handshake & encryption
 
Checking the SSL/TLS handshake & encryption
If the client is attempting to make an HTTPS connection, but the attempt fails after the connection has been initiated, during negotiation, the problem may be with SSL/TLS. Symptoms may include error messages such as:
ssl_error_no_cypher_overlap
(Mozilla Firefox 9.0.1)
Error 113 (net::ERROR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
(Google Chrome 16.0.912.75 m)
Expected SSL/TLS behavior varies by SSL inspection vs. SSL offloading (see “Offloading vs. inspection”):
SSL offloading — Reverse proxy mode only (see “Supported features in each operation mode”).
The handshake is between the client and FortiWeb. If the connection cannot be established, verify that the browser supports one of the key exchanges, encryption algorithms, and authentication (hashes) offered by FortiWeb. See “Supported cipher suites & protocol versions”.
SSL inspection — True transparent proxy, offline protection mode and transparent inspection mode only.
The handshake is between the client and the web server. If the connection cannot be established, verify that the browser supports one of the key exchanges, encryption algorithms, and authentication (hashes) suggested by the web server. Server-side, you must also verify that your web server supports enough cipher suites that all required clients can connect.
 
Google Chrome will prefer an anonymous Diffie-Hellman key exchange. This has the property of perfect forward secrecy, which makes SSL inspection theoretically impossible. To guarantee that this is not used to hide attacks from FortiWeb, you must disable it on your web server. On Apache, you would add !ADH to the SSLCipherSuite configuration line. For example:
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
If you are not sure which cipher suites are currently supported, you can use SSL tools such as OpenSSL to discover support. For example, you could use this client-side command to know whether the web server or FortiWeb supports strong (HIGH) encryption:
openssl s_client -connect example.com:443 -cipher HIGH
or supports deprecated or old versions such as SSL 2.0:
openssl s_client -ssl2 -connect example.com:443
 
If your web servers are required to comply with PCI DSS, you should make sure that your web servers do not allow weak encryption. For example, if your web servers accept SSL 2.0 or MD5 hashes, you may fail your PCI DSS audit.