Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Mar 2012
    Posts
    72

    Default Abandoned --> Server SSL decrypt exception

    Anyone have any idea why this error keeps coming up?

    Server SSL decrypt exception: Insufficient buffer remaining for AEAD cipher fragment (1). Needs to be more than or equal to IV size (8) + tag size (16)

  2. #2
    Untanglit
    Join Date
    Jun 2020
    Posts
    20

    Default

    Do you maybe run Application Control and block Non-SSL traffic on port 443?

    Not analyzed in detail, but had the same error when played around with SSL Decryptor a few days ago. Noted that with SSL Decryptor enabled, traffic is no longer identified as SSL but as standard HTTP instead. Thus, rule must be deactivated. Meanwhile, I switched back to not filter encrypted traffic unless better options will be available.

  3. #3
    Untangler
    Join Date
    Mar 2012
    Posts
    72

    Default

    I have definitely found SSL Inspector to be a lot more buggy the last few months. There are a lot more sites that just randomly won't load and I see a lot more Abandoned sessions in the log as well.

  4. #4
    Untangler
    Join Date
    Mar 2012
    Posts
    72

    Default

    Thanks for the suggestion, bEeReE, but no, "Block all TCP port 443 traffic that is not HTTPS" is NOT turned on in Application Control.

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,394

    Default

    Quote Originally Posted by mjmrad View Post
    I have definitely found SSL Inspector to be a lot more buggy the last few months.
    It's not more buggy but more and more websites and applications are implementing anti-MITM processes to improve security. SSL Inspector is literally breaking the encryption between the endpoint and the site. Google is one of the first to implement these changes.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler
    Join Date
    Mar 2012
    Posts
    72

    Default

    What does the future look like then for schools that need content filtering? What are our best options? This is getting more and more difficult.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,671

    Default

    Yes it is, and eventually content control won't be possible.

    Thank Google and Apple.

    OK well you can control content, you just won't be breaking SSL to do it. Web Filter works off SNI too.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler
    Join Date
    Mar 2012
    Posts
    72

    Default

    I have been a faithful Untangle customer for many years, but this situation is really making me wonder if a DPI or stateful technology would be more sustainable in the current climate of SSL inspection.

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,394

    Default

    DPI will have no special insight on encrypted traffic. Future solutions are proxy services or on endpoint filtering for encrypted traffic.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2