Why Zscaler Blocks the Dropbox application because of "Blocked due to Bad SSL record"?


I tried testing Zscaler with the Dropbox application on a computer and Zscaler bocks it because of “Blocked due to Bad SSL record” Policy Reasons | Zscaler but the Zscaler SSL exception list should catch this but it didn’t so I made SSL inspection exclusion of the cloud app Google Hangouts that the Zscaler Web Insights detects that zscaler marks the web dropbox traffic and blocks it because of it thinking that on SSL port non-ssl traffic is being tunneled but it still blocks.

I tried switching between Tunnel 1.0 and 2.0, making exceptions (url ip, fqdn) for the tunnels, allowing the cloud app and url in all policies just in case but nothing helps. When I added the URL mtalk.google.com for Google Hangouts to the exclusion list for tunnel 2.0 or the PAC file then I still can’t connect with ZIA enabled and I have no web logs for something being blocked.

Dropbox is added in the ZDX monitoring so Zscaler should fix this as the Zscaler connector is also the latest version.

It seems for some reason some fqdn need to be bypassed either on the tunnel 2.0 Bypass for VPN gateway or pac file:

Dropbox is no longer needed by me but it is strange that the ssl decription logs don’t show that there is SSL decryption and that Zscaler has not offcially documented which FQDN/URL need bypass but the TAC support needs to be contacted. Edit: Still even the option to allow sites that can’t be decrypted did not help as this can be better solution, so Zscaler needs to look into this as Dropbox may use pinned ssl certs or other method but still the option should work so it seems to me as a bug where Zscaler does not correctly allow sites that can’t be decrypted.