Unable to access HTTPS or HTTP pages after upgrading to SGOS 5.5.9.1, 6.2.8.1, or 6.2.9.1

Solution

Overview

After upgrading to 5.5.9.1, 6.2.8.1, or 6.2.9.1, you are unable to access HTTPS or HTTP

Policy trace shows: EXCEPTION(content_encoding_error): Unknown content encoding

PCAP shows no response from the proxy, or a FIN/ACK after the SSL 'client hello'

Results may vary depending on policy conditions and deployment type, but essentially if you see 'content_encoding_error' in a policy trace while accessing HTTPS or HTTP pages or applications which use HTTPS or HTTP, this KB discusses the cause and resolution.

Cause
Resolution

A new bug has been introduce in 5.5.9.1, 6.2.8.1, or 6.2.9.1 in relation to using the following CPL policy condition/actions:

http.response.apparent_data_type=(executable,cabinet), detect_protocol(none), or detect_protocol.ssl(no)

If you are using this policy in an explicit deployment under 5.5.9.1, 6.2.8.1, or 6.2.9.1, then HTTPS or HTTP pages may be inaccessible.

 

This policy is also automatically created when enabling 'Malware scanning' under:

Configuration--> Threat Protection --> Malware scanning.

 

Possible work-arounds to the problem are:

1) Upgrade to SGOS 6.2.10.1

1) Remove any apparent data type policies

2) Disable Malware scanning

3) Revert back to a previous version of SGOS 

4) Enable protocol detection for affected sites (sites that require protocol detection to be disabled may still fail)

This has been raised internally under bug :

Bug 175814 - cannot access HTTPS sites with http.response.apparent_data_type policy under explicit deployment.

This bug has been fixed and is expected to be included in the next GA release of each affected SGOS branch (no ETA at this time).

 

Workaround
Additional Information
Bug Number
InQuira Doc IdKB5071
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat