Netscaler VPN clients unable to connect to HTTPS websites via a Bluecoat Web Proxy server on port 80 (but it works on 8080)
Hi Guys
Our Netscaler VPN clients are able to connect to the network and reach the Bluecoate Proxy on the network layer (port 80), but when we try to browse to HTTPS Internet websites, the connections seem to get dropped. Internet sites on HTTP work fine.
Our Bluecoat Proxy (hosted in a managed network that we have no access to) also listens on port 8080. if we configure the Netscalers to use the web proxy on port 8080, the issue is resolved. i.e. both HTTP and HTTPS work fine.
Unfortunately, we have a particular business requirement to get this working on port 80. Port 8080 can not be used at present.
Could anyone point me in the right direction?
Thanks
Mihail
Our Netscaler VPN clients are able to connect to the network and reach the Bluecoate Proxy on the network layer (port 80), but when we try to browse to HTTPS Internet websites, the connections seem to get dropped. Internet sites on HTTP work fine.
Our Bluecoat Proxy (hosted in a managed network that we have no access to) also listens on port 8080. if we configure the Netscalers to use the web proxy on port 8080, the issue is resolved. i.e. both HTTP and HTTPS work fine.
Unfortunately, we have a particular business requirement to get this working on port 80. Port 8080 can not be used at present.
Could anyone point me in the right direction?
Thanks
Mihail
https uses port 443 not port 80
Thanks for your comment, Arnold.
We have tried to trace the traffic as it is leaving the netscaler for the BlueCoat webproxy and the conclusion was that no traffic was leaving the netscaler when we attempted to connect to HTTPS websites (it worked for http sites fine).
so I cant t "check whether the Netscreen detects and rejects the encrypted data within port 80" as it doesn't appear to be sending it out on port 80. Where would this rule be configured on the netscaler? Can we override it?
Many thanks
m
We have tried to trace the traffic as it is leaving the netscaler for the BlueCoat webproxy and the conclusion was that no traffic was leaving the netscaler when we attempted to connect to HTTPS websites (it worked for http sites fine).
so I cant t "check whether the Netscreen detects and rejects the encrypted data within port 80" as it doesn't appear to be sending it out on port 80. Where would this rule be configured on the netscaler? Can we override it?
Many thanks
m
Also, the business requirement is for a Netscaler VPN client to be able to connect Outlook to their Office 365 mailbox via another Bluecoat web proxy that does not have port 8080 open. so we have to get it working for port 80...
Often deep inspection detects encrypted data going through port 80 as a concern......
Please check your logs whether you can locate event that sheds light on your situation.
Check with the vendor.
Please check your logs whether you can locate event that sheds light on your situation.
Check with the vendor.
ASKER
Arnold, do you mean check the logs on the BlueCoat proxy? we don't have access to these logs so it a bit problematic.
Last time we performed these assessment it was concluded that HTTPS traffic was not leaving the netscaler. i.e. nothing was reaching the proxy when HTTP requests were made from the client.
If you were referring to the Netscaler (v11) logs, coudl you please clarify which ones?
Last time we performed these assessment it was concluded that HTTPS traffic was not leaving the netscaler. i.e. nothing was reaching the proxy when HTTP requests were made from the client.
If you were referring to the Netscaler (v11) logs, coudl you please clarify which ones?
ASKER
p.s. the follwoing VRTX comments are mine:
Thanks for your comment, Arnold.
We have tried to trace the traffic as it is leaving the netscaler for the BlueCoat webproxy and the conclusion was that no traffic was leaving the netscaler when we attempted to connect to HTTPS websites (it worked for http sites fine).
so I cant t "check whether the Netscreen detects and rejects the encrypted data within port 80" as it doesn't appear to be sending it out on port 80. Where would this rule be configured on the netscaler? Can we override it?
Many thanks
----
Also, the business requirement is for a Netscaler VPN client to be able to connect Outlook to their Office 365 mailbox via another Bluecoat web proxy that does not have port 8080 open. so we have to get it working for port 80...
Thanks for your comment, Arnold.
We have tried to trace the traffic as it is leaving the netscaler for the BlueCoat webproxy and the conclusion was that no traffic was leaving the netscaler when we attempted to connect to HTTPS websites (it worked for http sites fine).
so I cant t "check whether the Netscreen detects and rejects the encrypted data within port 80" as it doesn't appear to be sending it out on port 80. Where would this rule be configured on the netscaler? Can we override it?
Many thanks
----
Also, the business requirement is for a Netscaler VPN client to be able to connect Outlook to their Office 365 mailbox via another Bluecoat web proxy that does not have port 8080 open. so we have to get it working for port 80...
Can you check whether you are diverting port 443 traffic to a proxy via port 80?
Redirecting encrypted traffic is not possible as there is no way to access what the request is.
Usually, a proxy handler for secure communication merely establishes a tunnel/connection through which the client then negotiates the session with the end ..
Redirecting encrypted traffic is not possible as there is no way to access what the request is.
Usually, a proxy handler for secure communication merely establishes a tunnel/connection through which the client then negotiates the session with the end ..
ASKER
Do you mean "are we diverting port 443 traffic to a proxy via port 80" using the Nescaler functionality? How can i check this?
How are proxy settings deployed in your environment? Are you using transparent mode diverting requests on port 80 to the proxy? If so what do you do for port 443 destined requests. If you push proxy settings or publish them using DNS/DHCP
When you reference port 8080 is that an instance of net scalar that you configure to listen on that port ?often port 8080 is a tomcat unsecured port so it is unclear what you are comparing. As commonly both port 80 and 8080 are unencrypted data streams.
If you have a Linux/UNIX system, or instal, OpenSSL on a Windows system
From the command line in either run, openssl s_client -connect anysecureurl:443
And see what happens. Are you connected destination and can make request
HEAD HTTPS://www.theurl.com HTTP/1.1
HOst:
REferrer:
When you reference port 8080 is that an instance of net scalar that you configure to listen on that port ?often port 8080 is a tomcat unsecured port so it is unclear what you are comparing. As commonly both port 80 and 8080 are unencrypted data streams.
If you have a Linux/UNIX system, or instal, OpenSSL on a Windows system
From the command line in either run, openssl s_client -connect anysecureurl:443
And see what happens. Are you connected destination and can make request
HEAD HTTPS://www.theurl.com HTTP/1.1
HOst:
REferrer:
Hi There,
Found these two links.
http://docplayer.net/6624924-Blue-coat-security-first-steps-solution-for-controlling-https.html
http://discussions.citrix.com/topic/350825-netscaler-gateway-access-intermittent-access-problem/ (Check for bluecoat specifically).
Kindly confirm if the bluecoat device is deployed in transparent/explicit mode.
Found these two links.
http://docplayer.net/6624924-Blue-coat-security-first-steps-solution-for-controlling-https.html
http://discussions.citrix.com/topic/350825-netscaler-gateway-access-intermittent-access-problem/ (Check for bluecoat specifically).
Kindly confirm if the bluecoat device is deployed in transparent/explicit mode.
ASKER
Arnold
Please see the results below of the OpenSSL Test you have asked us to run:
Internal LAN
OpenSSL> s_client -host www.google.co.uk -port 443
Loading 'screen' into random state - done
CONNECTED(00000168)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mo
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equif
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIgHDCCHwSgAwIBAgIIN7KozY
BhMCVVMxEzARBgNVBAoTCkdvb2
cm5ldCBBdXRob3JpdHkgRzIwHh
WjBkMQswCQYDVQQGEwJVUzETMB
TW91bnRhaW4gVmlldzETMBEGA1
Z2xlLmNvbTCCASIwDQYJKoZIhv
LBcmg8UXFIEnSNC/HW8UdX0A1P
sgJHL0qKVvMF9h7fhO6UUlf2hL
yad0fL3iS7y0atkiT1h6YNdqq1
6dsnTjH6kozz1+nrQooyUEwTNy
XXANjK0nM+WRs9xIyrvW3pGe5I
sijYat7zAW0CAwEAAaOCHOswgh
BQcDAjCCG7cGA1UdEQSCG64wgh
LmFuZHJvaWQuY29tghYqLmFwcG
ZWNsaWNrLm5ldIILKi5jYy1kdC
ZS5kb3VibGVjbGljay5uZXSCES
aWNrLm5ldIIVKi5mbHMuZG91Ym
Lm5ldIIWKi5nb29nbGUtYW5hbH
Z2xlLmFkggsqLmdvb2dsZS5hZY
Lmdvb2dsZS5hbIILKi5nb29nbG
dIILKi5nb29nbGUuYXqCCyouZ2
bGUuYmaCCyouZ29vZ2xlLmJngg
Z29vZ2xlLmJzggsqLmdvb2dsZS
ggwqLmdvb2dsZS5jYXSCCyouZ2
bGUuY2aCCyouZ29vZ2xlLmNngg
Z29vZ2xlLmNsggsqLmdvb2dsZS
LmFvgg4qLmdvb2dsZS5jby5id4
LmNygg4qLmdvb2dsZS5jby5odY
Lmlsgg4qLmdvb2dsZS5jby5pbY
Lmplgg4qLmdvb2dsZS5jby5qcI
Lmtygg4qLmdvb2dsZS5jby5sc4
Lm16gg4qLmdvb2dsZS5jby5ueo
LnR6gg4qLmdvb2dsZS5jby51Z4
LnV6gg4qLmdvb2dsZS5jby52ZY
Lnphgg4qLmdvb2dsZS5jby56bY
bYIPKi5nb29nbGUuY29tLmFmgg
bS5haYIPKi5nb29nbGUuY29tLm
LmNvbS5iZIIPKi5nb29nbGUuY2
Z2xlLmNvbS5ib4IPKi5nb29nbG
Z29vZ2xlLmNvbS5ieoIPKi5nb2
DyouZ29vZ2xlLmNvbS5jdYIPKi
ZG+CDyouZ29vZ2xlLmNvbS5lY4
b20uZXSCDyouZ29vZ2xlLmNvbS
ZS5jb20uZ2iCDyouZ29vZ2xlLm
b2dsZS5jb20uZ3SCDyouZ29vZ2
Lmdvb2dsZS5jb20uam2CDyouZ2
gg8qLmdvb2dsZS5jb20ua3eCDy
Lmx5gg8qLmdvb2dsZS5jb20ubW
Y29tLm14gg8qLmdvb2dsZS5jb2
bGUuY29tLm5mgg8qLmdvb2dsZS
b29nbGUuY29tLm5wgg8qLmdvb2
Ki5nb29nbGUuY29tLnBhgg8qLm
Z4IPKi5nb29nbGUuY29tLnBogg
bS5wbIIPKi5nb29nbGUuY29tLn
LmNvbS5xYYIPKi5nb29nbGUuY2
Z2xlLmNvbS5zYoIPKi5nb29nbG
Z29vZ2xlLmNvbS5zdoIPKi5nb2
DyouZ29vZ2xlLmNvbS50coIPKi
dWGCDyouZ29vZ2xlLmNvbS51eY
b20udmWCDyouZ29vZ2xlLmNvbS
ggsqLmdvb2dsZS5kZYILKi5nb2
ZS5kbYILKi5nb29nbGUuZHqCCy
b29nbGUuZXVzggsqLmdvb2dsZS
ggwqLmdvb2dsZS5mcmyCCyouZ2
Z2xlLmdlggsqLmdvb2dsZS5nZ4
Lmdvb2dsZS5ncIILKi5nb29nbG
a4ILKi5nb29nbGUuaG6CCyouZ2
bGUuaHWCCyouZ29vZ2xlLmllgg
Z29vZ2xlLmluZm+CCyouZ29vZ2
aXOCCyouZ29vZ2xlLml0gg4qLm
Z29vZ2xlLmpvgg0qLmdvb2dsZS
a2eCCyouZ29vZ2xlLmtpggsqLm
Z2xlLmxpggsqLmdvb2dsZS5sa4
Lmdvb2dsZS5sdoILKi5nb29nbG
Z4ILKi5nb29nbGUubWuCCyouZ2
bGUubXOCCyouZ29vZ2xlLm11gg
Z29vZ2xlLm5lgg4qLmdvb2dsZS
ZS5uZ4ILKi5nb29nbGUubmyCCy
b29nbGUubnWCDyouZ29vZ2xlLm
LnBsggsqLmdvb2dsZS5wboILKi
b2dsZS5yb4ILKi5nb29nbGUucn
Ki5nb29nbGUuc2OCCyouZ29vZ2
c2mCCyouZ29vZ2xlLnNrggsqLm
Z2xlLnNvggsqLmdvb2dsZS5zco
Lmdvb2dsZS50ZWyCCyouZ29vZ2
dGyCCyouZ29vZ2xlLnRtggsqLm
Z2xlLnR0ggsqLmdvb2dsZS51YY
Lmdvb2dsZS52Z4ILKi5nb29nbG
YXBpcy5jb22CFSouZ29vZ2xlYW
ghQqLmdvb2dsZWNvbW1lcmNlLm
Ki5nb29nbGV2aWRlby5jb22CDC
Ki5ndnQxLmNvbYIKKi5ndnQyLm
bWV0cmljLmdzdGF0aWMuY29tgh
aW4uY29tghAqLnVybC5nb29nbG
gg0qLnlvdXR1YmUuY29tghYqLn
LmNvbYIVYWQubW8uZG91YmxlY2
Z2xlLmNvbYILYW5kcm9pZC5jb2
LmdsghRnb29nbGUtYW5hbHl0aW
CWdvb2dsZS5hZYIJZ29vZ2xlLm
Z2xlLmFtgglnb29nbGUuYXOCCW
YmGCCWdvb2dsZS5iZYIJZ29vZ2
Z29vZ2xlLmJqgglnb29nbGUuYn
bGUuY2GCCmdvb2dsZS5jYXSCCW
Y2aCCWdvb2dsZS5jZ4IJZ29vZ2
Z29vZ2xlLmNtgglnb29nbGUuY2
ggxnb29nbGUuY28uY2uCDGdvb2
bGUuY28uaWSCDGdvb2dsZS5jby
aW6CDGdvb2dsZS5jby5qZYIMZ2
b2dsZS5jby5rcoIMZ29vZ2xlLm
by5teoIMZ29vZ2xlLmNvLm56gg
Z29vZ2xlLmNvLnVnggxnb29nbG
LmNvLnZlggxnb29nbGUuY28udm
ggxnb29nbGUuY28ueneCDWdvb2
b2dsZS5jb20uYWmCDWdvb2dsZS
ZS5jb20uYmSCDWdvb2dsZS5jb2
b20uYm+CDWdvb2dsZS5jb20uYn
YnqCDWdvb2dsZS5jb20uY26CDW
DWdvb2dsZS5jb20uY3mCDWdvb2
b2dsZS5jb20uZWeCDWdvb2dsZS
ZS5jb20uZ2WCDWdvb2dsZS5jb2
b20uZ3KCDWdvb2dsZS5jb20uZ3
aXGCDWdvb2dsZS5jb20uam2CDW
DWdvb2dsZS5jb20ua3eCDWdvb2
b2dsZS5jb20ubW2CDWdvb2dsZS
ZS5jb20ubXmCDWdvb2dsZS5jb2
b20ubmeCDWdvb2dsZS5jb20ubm
bnKCDWdvb2dsZS5jb20ub22CDW
DWdvb2dsZS5jb20ucGeCDWdvb2
b2dsZS5jb20ucGyCDWdvb2dsZS
ZS5jb20ucWGCDWdvb2dsZS5jb2
b20uc2KCDWdvb2dsZS5jb20uc2
c3aCDWdvb2dsZS5jb20udGqCDW
DWdvb2dsZS5jb20udHeCDWdvb2
b2dsZS5jb20udmOCDWdvb2dsZS
ZS5jdoIJZ29vZ2xlLmN6gglnb2
gglnb29nbGUuZG2CCWdvb2dsZS
b2dsZS5ldXOCCWdvb2dsZS5maY
ZS5mcmyCCWdvb2dsZS5nYYIKZ2
Z2eCCWdvb2dsZS5nbIIJZ29vZ2
Z29vZ2xlLmd5gglnb29nbGUuaG
bGUuaHSCCWdvb2dsZS5odYIJZ2
boILZ29vZ2xlLmluZm+CCWdvb2
CWdvb2dsZS5pdIIMZ29vZ2xlLm
Z29vZ2xlLmpvYnOCCWdvb2dsZS
b2dsZS5reoIJZ29vZ2xlLmxhgg
Lmx0gglnb29nbGUubHWCCWdvb2
CWdvb2dsZS5tZ4IJZ29vZ2xlLm
Z2xlLm1zgglnb29nbGUubXWCCW
bmWCDGdvb2dsZS5uZS5qcIIKZ2
bmyCCWdvb2dsZS5ub4IJZ29vZ2
YWmCCWdvb2dsZS5wa4IJZ29vZ2
Z29vZ2xlLnB0gglnb29nbGUucm
bGUucneCCWdvb2dsZS5zY4IJZ2
aYIJZ29vZ2xlLnNrgglnb29nbG
b29nbGUuc3KCCWdvb2dsZS5zdI
bGUudGeCCWdvb2dsZS50a4IJZ2
boIJZ29vZ2xlLnRvgglnb29nbG
b29nbGUudXqCCWdvb2dsZS52Z4
ZWNvbW1lcmNlLmNvbYILZ3N0YX
Z2yCCHlvdXR1LmJlggt5b3V0dW
aAYIKwYBBQUHAQEEXDBaMCsGCC
b20vR0lBRzIuY3J0MCsGCCsGAQ
LmNvbS9vY3NwMB0GA1UdDgQWBB
Af8EAjAAMB8GA1UdIwQYMBaAFE
MBgwDAYKKwYBBAHWeQIFATAIBg
cDovL3BraS5nb29nbGUuY29tL0
SV9bUhHH3s0Nb//cZIkX02UUV0
j+KgZ7osZutGQem4Nnj1ViP1Vc
g/vvP7YYIFAkQMLdhCxfpkY4jF
QgaPbmBpztGyayqT/Qf7ABBmUK
6eJRrzv4sJGN9y6Y0047I/gfQu
3bZCaJ2MZ1bgPu3wIQ0wbw==
-----END CERTIFICATE-----
subject=/C=US/ST=Californi
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 10301 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 9808F335C451E449F655C77AB3
Session-ID-ctx:
Master-Key: 224B42CC4E5BFE1FEC6169B7E2
99896ED725E240A172AE45EEB2
Key-Arg : None
Start Time: 1463068023
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
Over the Netscaler VPN
penSSL> s_client -host www.google.co.uk -port 443
Loading 'screen' into random state - done
connect: Bad file descriptor
connect:errno=10060
error in s_client
Thanks
Rich
Please see the results below of the OpenSSL Test you have asked us to run:
Internal LAN
OpenSSL> s_client -host www.google.co.uk -port 443
Loading 'screen' into random state - done
CONNECTED(00000168)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mo
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equif
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIgHDCCHwSgAwIBAgIIN7KozY
BhMCVVMxEzARBgNVBAoTCkdvb2
cm5ldCBBdXRob3JpdHkgRzIwHh
WjBkMQswCQYDVQQGEwJVUzETMB
TW91bnRhaW4gVmlldzETMBEGA1
Z2xlLmNvbTCCASIwDQYJKoZIhv
LBcmg8UXFIEnSNC/HW8UdX0A1P
sgJHL0qKVvMF9h7fhO6UUlf2hL
yad0fL3iS7y0atkiT1h6YNdqq1
6dsnTjH6kozz1+nrQooyUEwTNy
XXANjK0nM+WRs9xIyrvW3pGe5I
sijYat7zAW0CAwEAAaOCHOswgh
BQcDAjCCG7cGA1UdEQSCG64wgh
LmFuZHJvaWQuY29tghYqLmFwcG
ZWNsaWNrLm5ldIILKi5jYy1kdC
ZS5kb3VibGVjbGljay5uZXSCES
aWNrLm5ldIIVKi5mbHMuZG91Ym
Lm5ldIIWKi5nb29nbGUtYW5hbH
Z2xlLmFkggsqLmdvb2dsZS5hZY
Lmdvb2dsZS5hbIILKi5nb29nbG
dIILKi5nb29nbGUuYXqCCyouZ2
bGUuYmaCCyouZ29vZ2xlLmJngg
Z29vZ2xlLmJzggsqLmdvb2dsZS
ggwqLmdvb2dsZS5jYXSCCyouZ2
bGUuY2aCCyouZ29vZ2xlLmNngg
Z29vZ2xlLmNsggsqLmdvb2dsZS
LmFvgg4qLmdvb2dsZS5jby5id4
LmNygg4qLmdvb2dsZS5jby5odY
Lmlsgg4qLmdvb2dsZS5jby5pbY
Lmplgg4qLmdvb2dsZS5jby5qcI
Lmtygg4qLmdvb2dsZS5jby5sc4
Lm16gg4qLmdvb2dsZS5jby5ueo
LnR6gg4qLmdvb2dsZS5jby51Z4
LnV6gg4qLmdvb2dsZS5jby52ZY
Lnphgg4qLmdvb2dsZS5jby56bY
bYIPKi5nb29nbGUuY29tLmFmgg
bS5haYIPKi5nb29nbGUuY29tLm
LmNvbS5iZIIPKi5nb29nbGUuY2
Z2xlLmNvbS5ib4IPKi5nb29nbG
Z29vZ2xlLmNvbS5ieoIPKi5nb2
DyouZ29vZ2xlLmNvbS5jdYIPKi
ZG+CDyouZ29vZ2xlLmNvbS5lY4
b20uZXSCDyouZ29vZ2xlLmNvbS
ZS5jb20uZ2iCDyouZ29vZ2xlLm
b2dsZS5jb20uZ3SCDyouZ29vZ2
Lmdvb2dsZS5jb20uam2CDyouZ2
gg8qLmdvb2dsZS5jb20ua3eCDy
Lmx5gg8qLmdvb2dsZS5jb20ubW
Y29tLm14gg8qLmdvb2dsZS5jb2
bGUuY29tLm5mgg8qLmdvb2dsZS
b29nbGUuY29tLm5wgg8qLmdvb2
Ki5nb29nbGUuY29tLnBhgg8qLm
Z4IPKi5nb29nbGUuY29tLnBogg
bS5wbIIPKi5nb29nbGUuY29tLn
LmNvbS5xYYIPKi5nb29nbGUuY2
Z2xlLmNvbS5zYoIPKi5nb29nbG
Z29vZ2xlLmNvbS5zdoIPKi5nb2
DyouZ29vZ2xlLmNvbS50coIPKi
dWGCDyouZ29vZ2xlLmNvbS51eY
b20udmWCDyouZ29vZ2xlLmNvbS
ggsqLmdvb2dsZS5kZYILKi5nb2
ZS5kbYILKi5nb29nbGUuZHqCCy
b29nbGUuZXVzggsqLmdvb2dsZS
ggwqLmdvb2dsZS5mcmyCCyouZ2
Z2xlLmdlggsqLmdvb2dsZS5nZ4
Lmdvb2dsZS5ncIILKi5nb29nbG
a4ILKi5nb29nbGUuaG6CCyouZ2
bGUuaHWCCyouZ29vZ2xlLmllgg
Z29vZ2xlLmluZm+CCyouZ29vZ2
aXOCCyouZ29vZ2xlLml0gg4qLm
Z29vZ2xlLmpvgg0qLmdvb2dsZS
a2eCCyouZ29vZ2xlLmtpggsqLm
Z2xlLmxpggsqLmdvb2dsZS5sa4
Lmdvb2dsZS5sdoILKi5nb29nbG
Z4ILKi5nb29nbGUubWuCCyouZ2
bGUubXOCCyouZ29vZ2xlLm11gg
Z29vZ2xlLm5lgg4qLmdvb2dsZS
ZS5uZ4ILKi5nb29nbGUubmyCCy
b29nbGUubnWCDyouZ29vZ2xlLm
LnBsggsqLmdvb2dsZS5wboILKi
b2dsZS5yb4ILKi5nb29nbGUucn
Ki5nb29nbGUuc2OCCyouZ29vZ2
c2mCCyouZ29vZ2xlLnNrggsqLm
Z2xlLnNvggsqLmdvb2dsZS5zco
Lmdvb2dsZS50ZWyCCyouZ29vZ2
dGyCCyouZ29vZ2xlLnRtggsqLm
Z2xlLnR0ggsqLmdvb2dsZS51YY
Lmdvb2dsZS52Z4ILKi5nb29nbG
YXBpcy5jb22CFSouZ29vZ2xlYW
ghQqLmdvb2dsZWNvbW1lcmNlLm
Ki5nb29nbGV2aWRlby5jb22CDC
Ki5ndnQxLmNvbYIKKi5ndnQyLm
bWV0cmljLmdzdGF0aWMuY29tgh
aW4uY29tghAqLnVybC5nb29nbG
gg0qLnlvdXR1YmUuY29tghYqLn
LmNvbYIVYWQubW8uZG91YmxlY2
Z2xlLmNvbYILYW5kcm9pZC5jb2
LmdsghRnb29nbGUtYW5hbHl0aW
CWdvb2dsZS5hZYIJZ29vZ2xlLm
Z2xlLmFtgglnb29nbGUuYXOCCW
YmGCCWdvb2dsZS5iZYIJZ29vZ2
Z29vZ2xlLmJqgglnb29nbGUuYn
bGUuY2GCCmdvb2dsZS5jYXSCCW
Y2aCCWdvb2dsZS5jZ4IJZ29vZ2
Z29vZ2xlLmNtgglnb29nbGUuY2
ggxnb29nbGUuY28uY2uCDGdvb2
bGUuY28uaWSCDGdvb2dsZS5jby
aW6CDGdvb2dsZS5jby5qZYIMZ2
b2dsZS5jby5rcoIMZ29vZ2xlLm
by5teoIMZ29vZ2xlLmNvLm56gg
Z29vZ2xlLmNvLnVnggxnb29nbG
LmNvLnZlggxnb29nbGUuY28udm
ggxnb29nbGUuY28ueneCDWdvb2
b2dsZS5jb20uYWmCDWdvb2dsZS
ZS5jb20uYmSCDWdvb2dsZS5jb2
b20uYm+CDWdvb2dsZS5jb20uYn
YnqCDWdvb2dsZS5jb20uY26CDW
DWdvb2dsZS5jb20uY3mCDWdvb2
b2dsZS5jb20uZWeCDWdvb2dsZS
ZS5jb20uZ2WCDWdvb2dsZS5jb2
b20uZ3KCDWdvb2dsZS5jb20uZ3
aXGCDWdvb2dsZS5jb20uam2CDW
DWdvb2dsZS5jb20ua3eCDWdvb2
b2dsZS5jb20ubW2CDWdvb2dsZS
ZS5jb20ubXmCDWdvb2dsZS5jb2
b20ubmeCDWdvb2dsZS5jb20ubm
bnKCDWdvb2dsZS5jb20ub22CDW
DWdvb2dsZS5jb20ucGeCDWdvb2
b2dsZS5jb20ucGyCDWdvb2dsZS
ZS5jb20ucWGCDWdvb2dsZS5jb2
b20uc2KCDWdvb2dsZS5jb20uc2
c3aCDWdvb2dsZS5jb20udGqCDW
DWdvb2dsZS5jb20udHeCDWdvb2
b2dsZS5jb20udmOCDWdvb2dsZS
ZS5jdoIJZ29vZ2xlLmN6gglnb2
gglnb29nbGUuZG2CCWdvb2dsZS
b2dsZS5ldXOCCWdvb2dsZS5maY
ZS5mcmyCCWdvb2dsZS5nYYIKZ2
Z2eCCWdvb2dsZS5nbIIJZ29vZ2
Z29vZ2xlLmd5gglnb29nbGUuaG
bGUuaHSCCWdvb2dsZS5odYIJZ2
boILZ29vZ2xlLmluZm+CCWdvb2
CWdvb2dsZS5pdIIMZ29vZ2xlLm
Z29vZ2xlLmpvYnOCCWdvb2dsZS
b2dsZS5reoIJZ29vZ2xlLmxhgg
Lmx0gglnb29nbGUubHWCCWdvb2
CWdvb2dsZS5tZ4IJZ29vZ2xlLm
Z2xlLm1zgglnb29nbGUubXWCCW
bmWCDGdvb2dsZS5uZS5qcIIKZ2
bmyCCWdvb2dsZS5ub4IJZ29vZ2
YWmCCWdvb2dsZS5wa4IJZ29vZ2
Z29vZ2xlLnB0gglnb29nbGUucm
bGUucneCCWdvb2dsZS5zY4IJZ2
aYIJZ29vZ2xlLnNrgglnb29nbG
b29nbGUuc3KCCWdvb2dsZS5zdI
bGUudGeCCWdvb2dsZS50a4IJZ2
boIJZ29vZ2xlLnRvgglnb29nbG
b29nbGUudXqCCWdvb2dsZS52Z4
ZWNvbW1lcmNlLmNvbYILZ3N0YX
Z2yCCHlvdXR1LmJlggt5b3V0dW
aAYIKwYBBQUHAQEEXDBaMCsGCC
b20vR0lBRzIuY3J0MCsGCCsGAQ
LmNvbS9vY3NwMB0GA1UdDgQWBB
Af8EAjAAMB8GA1UdIwQYMBaAFE
MBgwDAYKKwYBBAHWeQIFATAIBg
cDovL3BraS5nb29nbGUuY29tL0
SV9bUhHH3s0Nb//cZIkX02UUV0
j+KgZ7osZutGQem4Nnj1ViP1Vc
g/vvP7YYIFAkQMLdhCxfpkY4jF
QgaPbmBpztGyayqT/Qf7ABBmUK
6eJRrzv4sJGN9y6Y0047I/gfQu
3bZCaJ2MZ1bgPu3wIQ0wbw==
-----END CERTIFICATE-----
subject=/C=US/ST=Californi
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 10301 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 9808F335C451E449F655C77AB3
Session-ID-ctx:
Master-Key: 224B42CC4E5BFE1FEC6169B7E2
99896ED725E240A172AE45EEB2
Key-Arg : None
Start Time: 1463068023
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
Over the Netscaler VPN
penSSL> s_client -host www.google.co.uk -port 443
Loading 'screen' into random state - done
connect: Bad file descriptor
connect:errno=10060
error in s_client
Thanks
Rich
I am not sure wheter openssl "detects" the proxy and adjusts or fails..
One option is to try proxytunnel http://proxytunnel.sourceforge.net/intro.php to see whether it
One option is to try proxytunnel http://proxytunnel.sourceforge.net/intro.php to see whether it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for updating
ASKER
Solution was found internally, however sharing on here for other users.
i.e. presumably the same business requirement requires the configuration on port 80 that causes your issue.
You are mixing two distinct technologies into the same channel.