Zscaler Support for TLS 1.2

Zscaler supports TLS 1.2 protocol in addition to TLS 1.0 and 1.1. With SSL inspection enabled, the Zscaler service inspects all TLS sessions. 

Supported Ciphers

Zscaler supports the following cipher suites.

  • AES256-GCM-SHA384
  • AES128-GCM-SHA256
  • AES256-SHA
  • AES256-SHA
  • AES128-SHA
  • DES-CBC3-SHA

Unsupported Ciphers

Zscaler does not support the following cipher suites due to security or compatibility issues.

  • EXP
  • ECDHE
  • DSS
  • RC4-MD5
  • RC4-SHA
  • DES-CBC-SHA

Zscaler does not perform SSL inspection for websites that only use unsupported protocols (such as ECDHE). Click to see an example of traffic from such a website.

Zscaler considers traffic from such websites undecryptable. You can specify how you want Zscaler to treat undecryptable traffic with the  instructions below.

ex

 The following sample traffic is from a website that only supports ECDHE-based ciphers.

Zscaler treats traffic from this website as undecryptable and does not perform SSL inspection. It allows or blocks the traffic depending on the SSL inspection policy you set for undecryptable traffic.

# nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.com

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-29 13:14 CET
Nmap scan report for www.example.com (12.34.56.51)
Host is up (0.15s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=www.example.com/organizationName=Example Inc./stateOrProvinceName=CA/countryName=US
| Issuer: commonName=DigiCert SHA2 Extended Validation Server CA/organizationName=DigiCert Inc/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-08-12T23:00:00+00:00
| Not valid after:  2017-08-16T11:00:00+00:00
| MD5:   93cd 92ef 3aae d950 de76 1d6c 54aa 65d3
|_SHA-1: f8f9 b3a3 6d3e e72e 829d d0d5 5626 8c9e 06f5 c845
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

 

Configuring Policy for Undecryptable Traffic

1. Go to Policy > Web > SSL Inspection.

2. Under Policy for SSL Decryption:

  • Select Block Undecryptable Traffic if you want to block any traffic Zscaler considers undecryptable.
  • Do not select if you want to allow traffic Zscaler considers undecryptable.

3. Click Save and activate the change.