OPERATIONAL DEFECT DATABASE
...
...
getting connection events for TLS 1.3 flows that should match a decrypt resign rule in decryption policy that have "Do Not Decrypt (Unsupported Cipher Suite)"
flow through the device is a TLS 1.3 and contain ONLY TLS1.3 ciphers and matches a decrypt resign rule. Using snort3 with "Enable TLS 1.3 Decryption" option disabled (default setting)
Enable "Enable TLS 1.3 Decryption" option in the Advanced settings of the decryption (SSL) policy.
This bug is to improve the serviceability around "Unsupported Cipher Suite" due to TLS1.3 only ciphers when TLS1.3 support is not enabled. You can check what ciphers are supported via the following CLISH command (run from the FTD CLI): system support ssl-hw-supported-ciphers When TLS 1.3 support is enabled you will see TLS1.3 ciphers, i.e.: CID Cipher Suite Name FIPS Approved --------------------------------------------------------------------- 0x1302 TLS_AES_256_GCM_SHA384 Yes 0x1301 TLS_AES_128_GCM_SHA256 Yes ... But when TLS1.3 support is disabled you will not see the TLS1.3 ciphers. It is not obvious from debugs or connection events how to fix this problem. this bug is a request to improve debug logs to help determine this.
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
