E2Guardian: Failed to negotiate ssl connection to client



  • I wanted to show the access log showing Dropbox connection was dropped.

    https://client.dropbox.com DENIED Failed to negotiate ssl connection to client - 0 0 SSL SITE 4 403
    https://d.dropbox.com DENIED Failed to negotiate ssl connection to client - 0 0 SSL SITE 4 403

    I have already installed the CA on the client browser.  But I do not know why it is failing to negotiate ssl connection.
    I have place the CA in the Trusted Root Certificate Authority in internet explorer and chrome. And in Mozilla, in the section Settings\Certificate\Import of Mozilla.  Is there other proper place where Dropbox and Yahoo Messenger reads this CA certificate ?

    Any thoughts Marcelloc ?



  • Create a new alias in the firewall + alias section
    into
    Add your bypass domains like d.dropbox.com, client.dropbox.com
    then this alias is the name
    Bypass Proxy for These Destination IPs
    Write to section
    this is how I work using dropbox



  • @susamlicubuk:

    Create a new alias in the firewall + alias section
    into
    Add your bypass domains like d.dropbox.com, client.dropbox.com
    then this alias is the name
    Bypass Proxy for These Destination IPs
    Write to section
    this is how I work using dropbox

    can I use *.dropbox.com instead of specifying the subdomain ?



  • @ravegen:

    @susamlicubuk:

    Create a new alias in the firewall + alias section
    into
    Add your bypass domains like d.dropbox.com, client.dropbox.com
    then this alias is the name
    Bypass Proxy for These Destination IPs
    Write to section
    this is how I work using dropbox

    can I use *.dropbox.com instead of specifying the subdomain ?

    no but
    It would be better if there was another partition to do the ssl bypass and if the domains could be written
    because it is a bit unstable when you add the alias section
    marcello maybe can.



  • What is the relationship of adding Pass Rule in the firewall for that sites while I am using E2Guardian for filtering ?



  • You are bypassing e2Guardian because ssl is a filtering problem
    e2Guardian with firewall rule is very different things
    e2Guardian squidGuard alternative content filter software
    and much faster



  • ok.  so d.dropbox.com, client.dropbox.com is already known as you gave it to me.  but what about other sites that our 3rd party application use.  How will I know them ?



  • I see and bypass the access log
    Why do you want the ssl filter so much
    I do not install SSL certificates in some institutions
    It can make very stable filter while loading (http and https)
    only in the https sites are banned warning does not come



  • e2guardian can only intercept https sites but some applications like dropbox and skype user same port 443 but with another protocol(most proprietary).

    That's why you can't intercept it. You can try to include skype.com and dropbox.com on e2guardian exception list to do not intercept these connections or add on firewall alias like susamlicubuk posted.



  • @marcelloc:

    e2guardian can only intercept https sites but some applications like dropbox and skype user same port 443 but with another protocol(most proprietary).

    That's why you can't intercept it. You can try to include skype.com and dropbox.com on e2guardian exception list to do not intercept these connections or add on firewall alias like susamlicubuk posted.

    Its SSL pinning, the developers of these programs bake the CA cert into the program so that fake certs like the ones from E2 Guardian cannot be used to intercept traffic.



  • so to block dropbox, skype, yahoo messenger is to mitm ssl disrupting connection and to allow them under mitm ssl connection is to place them on exemption, right?



  • @ravegen:

    so to block dropbox, skype, yahoo messenger is to mitm ssl disrupting connection and to allow them under mitm ssl connection is to place them on exemption, right?

    Pretty much, yes. Although if you completely want to block them, use banned list and don't rely on the SSL pinning to block it as the developers of the platform can change things.