Palo Alto Networks Knowledgebase: Web browsing fails with error: SSL_ERROR_RX_RECORD_TOO_LONG

Web browsing fails with error: SSL_ERROR_RX_RECORD_TOO_LONG

6006
Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM
URL Filtering
Resolution

This article shows how to fix the problem of web browsing that fails with an error code SSL_ERROR_RX_RECORD_TOO_LONG. We'll use an example of facebook.com.

 

Screen Shot 2016-11-05 at 5.17.41 PM.png

Cause

Errror code: "SSL_ERROR_RX_RECORD_TOO_LONG" means the web server is sending non-secure (HTTP) data where secure (HTTPS) data is expected by the web browser.

 

 

Details

Security policy on the firewall:  (refers to URL filtering profile facebook test)

 

Screen Shot 2016-11-05 at 6.41.45 PM.png

 

 

URL Filtering profile on firewall: (social-networking category has action of continue)

 

 Screen Shot 2016-11-05 at 6.34.07 PM.png

 

With an action of continue on the URL category, the firewall will send a redirect message to the client to prompt users to click Continue to proceed to the web page, as follows:

 

Screen Shot 2016-11-05 at 6.03.42 PM.png

 

This Continue redirect message sent by the firewall is an HTTP response:

 

Screen Shot 2016-11-05 at 6.07.39 PM.png

 

 Note: This redirect message shows the URL category and the security policy rule matched by this traffic.

 

 

When browsing to www.facebook.com, the browser makes a request for https://www.facebook.com, as below:

 

Screen Shot 2016-11-05 at 5.53.34 PM.png

In this case, the firewall sending an HTTP redirect message for continue is treated as an invalid response by the browser and it shows an error, SSL_ERROR_RX_RECORD_TOO_LONG.

 

Screen Shot 2016-11-05 at 6.17.25 PM.png

 

Solution

Either of the two solutions offered can overcome this issue:

 

  • Enable outbound SSL decryption on the firewall. For more information on how to enable SSL decryption on firewall, please click here

OR

 

  • Run the following command on the firewall. This will allow the SSL handshake to complete before sending an HTTP response page to the client. For more information about this command, please click here.

# set deviceconfig setting ssl-decrypt url-proxy yes

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldaCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language