reference https://support.symantec.com/en_US/article.TECH247556.html compare the IANA name or the hex value
So in this case the solution/workaround is to use "tunnel request if protocol errors is detected" under proxy settings general or detect protocol no (if explicit). Engineering will be reluctant to include this cipher in ssl proxy, rather will blame the android client, that its cipher list is very limited (ideally any browser offer 15+ ciphers where SG finds at least one overlap with ssl proxy) . We have tested with 6.7.4 as well result is same (6.7.4 cipher list are not updated on that KB).
It works in Chrome browser as SSL proxy has many cipher overlap in regards to the incoming client hello cipher list.
Also to mention, when the client hello has many other ciphers we can support, if the upstream choose an unsupported cipher, on the upstream side only we can renegotiate taking out the unsupported cipher in a second request basically downgrading upstream to make it work.
So to conclude this, what is happening is when an application sends only these 3 Ciphers, it does not let proxy downgrade from TLS 1.3 to TLS 1.2. Currently ProxySG supports TLS 1.3 as if it will downgrade the connection and process as TLS 1.2 (Proxy does not have true TLS 1.3 Support)
So, for proxy to support TLS 1.3 which is not available will require a Feature Request. Tunnel on Protocol Error will help to get this connection established through the SG.
Facebook and Instagram Applications are enforced only to use TLS 1.3 for (the mobile App) not the desktop version. So that is reason when Mobile Application forces to use only those 3 ciphers and does not allow proxy to overlap any other ciphers and connection only through Mobile Applications for Facebook and Instagram Fails.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.