Symptom
With an SSL inspection policy enabled, TLS 1.3 connections fail for traffic that matches SSL decryption rules.
In addition, SSL traffic using the TLS 1.3 protocol is neither decrypted nor inspected by any managed device capable of SSL encryption and decryption, regardless of SSL policies and rules.
Users cannot load websites if the browser uses TLS 1.3. The following error is displayed in the browser:
ERR_SSL_VERSION_INTERFERENCE
Conditions
- SSL inspection policy is enabled
- The TLS 1.3 is enabled in the browser
- The website supports TLS 1.3
Workaround
Configure your managed device to remove extension 43 (which is TLS 1.3) from ClientHello negotiation. As a result, server and client downgrade to a TLS1.2 handshake.
Use the following steps on your managed device:
1. Start an SSH session with your managed device. See the appropriate command line reference for your managed device.
2. Configure extension removal through CLI:
> system support ssl-client-hello-tuning extensions_remove 43
3. Run following command to stop firepower from trying to downgrade tls1.3
>system support ssl-client-hello-enabled tls13_downgrade false
4. Follow the prompts on your screen to restart the detection engine, Snort. For example,
> pmtool restartbytype DetectionEngine
5. Confirm extension removal is configured successfully:
> system support ssl-client-hello-display
extensions_remove=43
tls13_downgrade=false
Further Problem Description
