Zscaler Support for TLS 1.2

Zscaler supports TLS 1.2 protocol in addition to TLS 1.0 and 1.1. With SSL inspection enabled, the Zscaler service inspects all TLS sessions.

Supported Cipher Suites

Zscaler supports the following cipher suites:

TLS Protocol    Cipher Suite

TLS 1.0;
TLS 1.1

TLS_RSA_WITH_AES_256_CBC_SHA 
TLS_RSA_WITH_AES_128_CBC_SHA

TLS 1.2

TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
3DES_EDE_CBC_SHA

Supported DHE Cipher Suites

Zscaler supports the following DHE cipher suites for Perfect Forward Secrecy (PFS) depending on the TLS protocol.

TLS Protocol    DHE Cipher Suite

TLS 1.0;
TLS 1.1

TLS1_DHE_RSA_WITH_AES_256_SHA256
TLS1_DHE_RSA_WITH_AES_256_SHA
TLS1_DHE_RSA_WITH_AES_128_SHA256
TLS1_DHE_RSA_WITH_AES_128_SHA

TLS 1.2

TLS1_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS1_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS1_DHE_RSA_WITH_AES_256_SHA256
TLS1_DHE_RSA_WITH_AES_256_SHA
TLS1_DHE_RSA_WITH_AES_128_SHA256
TLS1_DHE_RSA_WITH_AES_128_SHA

Unsupported Cipher Suites

Zscaler does not support the following cipher suites due to security or compatibility issues.

  • EXP
  • ECDHE
  • DSS
  • RC4-MD5
  • RC4-SHA
  • DES-CBC-SHA
  • DES-CBC3-SHA

Zscaler does not perform SSL inspection for websites that only use unsupported protocols, such as ECDHE. See an example of traffic from such a website.

The following sample traffic is from a website that only supports ECDHE-based ciphers.

Zscaler treats traffic from this website as undecryptable and does not perform SSL inspection. It allows or blocks the traffic depending on the SSL inspection policy you set for undecryptable traffic.

# nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.com

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-29 13:14 CET
Nmap scan report for www.example.com (12.34.56.51)
Host is up (0.15s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=www.example.com/organizationName=Example Inc./stateOrProvinceName=CA/countryName=US
| Issuer: commonName=DigiCert SHA2 Extended Validation Server CA/organizationName=DigiCert Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-08-12T23:00:00+00:00
| Not valid after:  2017-08-16T11:00:00+00:00
| MD5:   93cd 92ef 3aae d950 de76 1d6c 54aa 65d3
|_SHA-1: f8f9 b3a3 6d3e e72e 829d d0d5 5626 8c9e 06f5 c845
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

 

Zscaler considers traffic from such websites undecryptable. You can specify how you want Zscaler to treat undecryptable traffic with the  instructions below.

Configuring Policy for Undecryptable Traffic

1. Go to Policy > Web > SSL Inspection.

2. Under Policy for SSL Decryption:

  • Select Block Undecryptable Traffic if you want to block any traffic Zscaler considers undecryptable.
  • Do not select if you want to allow traffic Zscaler considers undecryptable.

Screenshot of Block Undecryptable Traffic switch for Zscaler SSL inspection

3. Click Save and activate the change.