LinkBack URL
About LinkBacksAnyone have any idea why this error keeps coming up?
Server SSL decrypt exception: Insufficient buffer remaining for AEAD cipher fragment (1). Needs to be more than or equal to IV size (8) + tag size (16)
Abandoned --> Server SSL decrypt exception
Anyone have any idea why this error keeps coming up?
Server SSL decrypt exception: Insufficient buffer remaining for AEAD cipher fragment (1). Needs to be more than or equal to IV size (8) + tag size (16)
Do you maybe run Application Control and block Non-SSL traffic on port 443?
Not analyzed in detail, but had the same error when played around with SSL Decryptor a few days ago. Noted that with SSL Decryptor enabled, traffic is no longer identified as SSL but as standard HTTP instead. Thus, rule must be deactivated. Meanwhile, I switched back to not filter encrypted traffic unless better options will be available.
I have definitely found SSL Inspector to be a lot more buggy the last few months. There are a lot more sites that just randomly won't load and I see a lot more Abandoned sessions in the log as well.
Thanks for the suggestion, bEeReE, but no, "Block all TCP port 443 traffic that is not HTTPS" is NOT turned on in Application Control.
It's not more buggy but more and more websites and applications are implementing anti-MITM processes to improve security. SSL Inspector is literally breaking the encryption between the endpoint and the site. Google is one of the first to implement these changes.Originally Posted by mjmrad
Attention: Support and help on the Untangle Forums is provided by
volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
What does the future look like then for schools that need content filtering? What are our best options? This is getting more and more difficult.
Yes it is, and eventually content control won't be possible.
Thank Google and Apple.
OK well you can control content, you just won't be breaking SSL to do it. Web Filter works off SNI too.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
I have been a faithful Untangle customer for many years, but this situation is really making me wonder if a DPI or stateful technology would be more sustainable in the current climate of SSL inspection.
DPI will have no special insight on encrypted traffic. Future solutions are proxy services or on endpoint filtering for encrypted traffic.
Attention: Support and help on the Untangle Forums is provided by
volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
Posting Permissions
Reply With Quote