Affected Products ProxySG 6.5.9.x or earlier releases ASG 18.104.22.168 or earlier releases ProxySG 22.214.171.124 or earlier releases ProxySG 126.96.36.199
Symantec was alerted to an interoperability issue between ProxySG and ASG products and TLS 1.3 in certain configurations. Google recently enabled field trial support for TLS 1.3, in Chrome Browser and ChromeOS 56 while accessing select Google servers. Users of Symantec ProxySG, other proxy and filtering solutions may see a connection issue as a result. Clients that enable TLS 1.3, (Chrome 56 and later versions, FireFox 52 and later versions) and access TLS 1.3 enabled servers, may experience SSL connection failures when going through ProxySG or ASG.
For a more extensive discussion on this issue, please see this TLS 1.3 webinar:
Fixes for TLS 1.3 interoperability are complete and included in the releases listed in the Resolution section.
For Chrome users: TLS 1.3 can be disabled by accessing URL “chrome://flags/#tls13-variant”, changing the setting from “Default” to “Disabled”, and then relaunching Chrome. The below image shows the configuration set to TLS 1.2:
(Note: Chrome will use TLS 1.3 by default starting with Chrome version 65.)
For FireFox users: TLS 1.3 can be disabled by accessing URL “about:config”, search for security.tls.version.max, change it from “4”, which is TLS 1.3, to “3”, which is TLS 1.2, and restart the browser. The below image shows the the configuration set to “3”, which is TLS 1.2:
How to confirm if TLS 1.3 is supported by a browser: SSL Labs provides a URL which will test and report the TLS versions supported by the browser requesting the URL. That URL is https://www.ssllabs.com/ssltest/viewMyClient.html. The following screenshots show the results of the above URL on FireFox 52 with its default configuration:
And after following the steps above to disable TLS 1.3 support: