SSL Handshake failure when antivirus is enabled

Question

This is a problem related to SSL handshake failures when an anti-virus (Kaspersky) is in between.

From WireShark, I am able to notice the SSL handshake successful (i.e towards the end client sending “Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message” and the server responding with “Change Cipher Spec, Encrypted Handshake Message”. After this the client initiates a FIN and closes the connection.

But when my anti-virus is turned off or if I disable the "Scan encrypted connections" setting in Kaspersky, I could see the client SSL connections are all successful and the client is able to send data.

I would appreciate if someone could explain this behavior and how I can bypass this without changing my customer's anti-virus settings.

Answer 1

Check "Scan encrypted connections" option

It seems Kaspersky does SSL interception (Man in the Middle).

• Kaspersky KB entry 6851: SSL connection scan by Kaspersky Anti-Virus version 6.0.4.x (Archived here.)

I would appreciate if someone could explain this behavior

Some clients may use certificate pinning. And those can not be easily Man-in-the-middled by using a different certificate. Try turning SSL interception off.

(Please tell me what clients these are! I'm curious.)

From Certificate Pinning:

One way to detect and block many kinds of MITM attacks is "certificate pinning", sometimes called "SSL pinning" but more accurately called "public key pinning".[229] A client that does key pinning adds an extra step beyond the normal X.509 certificate validation: After obtaining the server's certificate in the standard way, the client checks the public key(s) in the server's certificate chain against a set of (hashes of) public keys for the server name. Typically the public key hashes are bundled with the application.

Just to clarify, this isn't an attack. The man in the middle performed by Kasperky is used to scan HTTP traffic for malicious web data. This is what they mean by Scan Encrypted Connections.

how I can bypass this without changing my customer's anti-virus settings

I don't know if this is possible. Depends on the client software. Google Chrome for example will not enforce pins for locally added CAs. (Archived here.) This is explicitly meant to allow SSL/TLS interception. Some other client software may not be so lenient.

Further reading

• Sec-SE: Kaspersky Antivirus “secure connection scan” as broken as Superfish?
• Hanno Böck, 2015-04-26, How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS security (Archived here.)

Answer 2

That's the effect of most antivirus vendors' "safe browsing" protection, which intercepts all HTTPS traffic (it should be technically a TLS intercept). They act as a "trusted" provider (in the case of HTTPS) and acting as a proxy intercept all browser requests - both HTTP and HTTPS, checking whether the visited websites serve any malicious content.

I would dispute the security merits of this kind of behavior, and have in the past disabled "safe browsing" type of antivirus shield components or modules.

Here's an interesting (and informative) article on how this HTTPS interception behavior may compromise your security.