All SSL Visibility hardware platforms on 3.10.x or prior release
Symantec was alerted to an interoperability issue between Symantec SSL Visibility products and TLS 1.3 in certain configurations. Users of Symantec SSL Visibility appliances on affected releases, depending on their configured policy, may see connection issues as a result.
By default, the Symantec SSL Visibility appliance will cut-through the TLS 1.3 connections. However, for customers that configured the "Catch All Action" to drop/reject, their clients that enable TLS 1.3, (Chrome 56, FireFox 52) and access TLS 1.3 enabled servers, may experience SSL connection failures when going through the SSL Visibility appliance.
New policy options have been made available in the following versions: 126.96.36.199 and 4.0.1
For releases prior to 188.8.131.52, the TLS 1.3 traffic will not be identified specifically and the policy defined for the “Catch All Action” within the Ruleset Options will come into effect. In order to cut-through TLS 1.3 traffic, this policy would need to be set to allow all undecryptable connections to be cut-through.
SSL Visibility 184.108.40.206 is able to correctly identify TLS 1.3 and apply the configured "Undecryptable Action" in the segment policy specific to TLS 1.3, including cut-through, drop or reject.
SSLV release 4.0 is compatible with TLS 1.3 and negotiates TLS 1.3 to TLS 1.2 when the policy is to decrypt, as defined by the TLS 1.3 standard.
Imported Document ID: 000032947
Subscribing will provide email updates when this Article is updated. Login is required.