Zscaler SSL/TLS Support


Zscaler SSL/TLS Support

Zscaler supports TLS 1.2 protocol in addition to TLS 1.0 and 1.1. With SSL inspection enabled, the Zscaler service inspects all TLS sessions.

Supported ECDHE Cipher Suites

Zscaler supports the following ECDHE cipher suites for PFS depending on the TLS protocol:

TLS Protocol ECDHE Cipher Suite
TLS 1.0
TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Supported DHE Cipher Suites

Zscaler supports the following DHE cipher suites for Perfect Forward Secrecy (PFS) depending on the TLS protocol:

TLS Protocol DHE Cipher Suite
TLS 1.0
TLS 1.1
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Supported RSA Cipher Suites

Zscaler supports the following RSA cipher suites:

TLS Protocol Cipher Suite
TLS 1.0
TLS 1.1
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS 1.2 TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

Unsupported Cipher Suites

Zscaler does not support the following cipher suites due to security or compatibility issues:

  • EXP
  • DSS
  • ECDSA
  • RC4-MD5
  • RC4-SHA
  • DES-CBC-SHA
  • DES-CBC3-SHA

Zscaler doesn't perform SSL inspection for websites that only use unsupported protocols, such as ECDSA. See an example of traffic from such a website.

Zscaler considers traffic from such websites undecryptable. You can specify how you want Zscaler to treat undecryptable traffic with the instructions below.

Allowing or Blocking Undecryptable Traffic

Zscaler treats traffic from the unsupported protocols listed above as undecryptable and doesn't perform SSL inspection on the websites. You can configure the SSL inspection policy to allow or block undecryptable traffic.

To allow or block undecryptable traffic:

  1. Go to Policy > SSL Inspection.
  2. Enable Block Undecryptable Traffic if you want to block any traffic Zscaler considers undecryptable.
    See image.
  3. Click Save and activate the change.

Screenshot of the Block Undecryptable Traffic switch for SSL inspection 

The following sample traffic is from a website that only supports ECDSA-based ciphers.

Zscaler treats traffic from this website as undecryptable and does not perform SSL inspection. It allows or blocks the traffic depending on the SSL inspection policy you set for undecryptable traffic.

miku@safemarch:~$ /usr/bin/openssl s_client -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -connect www.google.com:443 -servername www.google.com
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIIFfqidtnX/XYwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTgwMzI4MTMyMjAwWhcNMTgwNjIwMTMyMjAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7DS+a3Xnlb/L9
pEA4un6aZvXnewYykFH2T1YtD6sVKhdBeZkan0kJP5yFklKcoGHULb06TU0hKamR
mB3EuMldo4IBUTCCAU0wEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
AgeAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMGgGCCsGAQUFBwEBBFwwWjAr
BggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDArBggr
BgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNVHQ4E
FgQUjYCseoF3qs7kDjtxeq1qgTNqQ18wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW
gBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAYMAwGCisGAQQB1nkCBQEw
CAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNv
bS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAHQwRfV7L6Gm/IxMuIzpDmRG
LwkD3i4AuBTtAiadtMZ6Hb4e8AE3Fsfne2ncP91MreiVS0pmTg7TRQbPDdlXi7Tr
w9uPWCvS16gpgJ5FVw4itNjtmevMCUB4h204KkoizBGJhzb9M9NTFEKlyRD/MlnD
2EPBcIGToORexhiP7d+NUXz/bDBK/BIgs/bNnYHQnleJaO+AP0IpXPa8vKgulW8V
/QNmjiEELghg5fI3N36LjfIr3s19weAFO4YbL6ENNLSkY+JGBHJiRnO+481F73ei
WpKVVoXi7MVSvjgZLn+Zpw+cNxe1CDq24x6Lp9Oiw63NUu/wEAChmBbplJ2vURM=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3449 bytes and written 288 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 47B057E311FB91AE392433A2BABC6DC90BFDA53F2117F641B9267497BBE6F864
    Session-ID-ctx:
    Master-Key: B8C6ADD3B4FCF2E70678905C4B5690DF36AE8431E5DE56E5102865C08BD449956BA45A966DF7CEDB163E7FD27137E9CF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 cc 89 78 a4 5c 9b b1-cf 25 83 7b 59 41 ff 5c   ...x.\...%.{YA.\
    0010 - db d3 6d 51 78 a4 9d 46-9b 62 35 a5 db 46 ea 30   ..mQx..F.b5..F.0
    0020 - 2b 74 4b 68 87 72 e1 99-c1 5f 75 45 19 26 62 1d   +tKh.r..._uE.&b.
    0030 - 82 ac 06 b2 79 ac 1f 4d-c1 45 85 92 f1 9c 32 fe   ....y..M.E....2.
    0040 - 83 fa a6 d5 c0 19 bf 69-c8 34 e3 19 a0 12 87 e6   .......i.4......
    0050 - e0 f0 96 0e 11 67 70 97-be 72 96 cb b0 b3 8b 16   .....gp..r......
    0060 - e8 4e 44 46 91 16 50 68-4d 6e b7 1b 2a 88 0c 15   .NDF..PhMn..*...
    0070 - 5b 3d ef f5 80 4b 39 ec-93 5a 02 e3 99 89 c6 e0   [=...K9..Z......
    0080 - 51 92 2a 98 0a 81 dc cb-71 cd 3e 05 98 fb f0 b7   Q.*.....q.>.....
    0090 - cd bd ed 55 9e f4 11 44-e0 74 39 c6 ee 60 71 76   ...U...D.t9..`qv
    00a0 - aa 95 50 e6 66 6e 9f f2-df fb 8a ec 0a 72 17 2a   ..P.fn.......r.*
    00b0 - 24 77 bd af 0e 5b a7 1a-22 89 b5 ea 71 6c ba 3f   $w...[.."...ql.?
    00c0 - 91 6d bb fa b8 ac 89 6b-ee 4a 76 6f 6a fa 9a d9   .m.....k.Jvoj...
    00d0 - 39 8f 6f 55 76                                    9.oUv

    Start Time: 1524553086
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---