ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

WSS TLS version negotiation behavior

book

Article ID: 203825

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

When SSL Interception is enabled in the WSS portal (Policy > TLS/SSL Interception), WSS attempts to preserve the TLS version and cipher suite as negotiated by the client and server.

Resolution

Behavior

  • If the client and server negotiate TLSv1.1 or TLSv1.2, WSS uses that negotiated version for communication with both the client and the server.

  • If the client requests TLSv1.3, WSS downgrades the request to TLSv1.2. Note: If SSL Interception is not applicable to the request, TLSv1.3 traffic passes through WSS without modification.

  • Connection failures occur when clients and servers cannot resolve TLS version mismatches.

    • Scenario 1: If a client is configured to allow only a newer TLS version than a server supports, the server attempts to downgrade the TLS version to one that the server does support. If the client does not allow that version, the client returns an error. Likewise, the server might not understand the client's request, which also causes a connection error.

    • Scenario 2: If a server is configured to allow only a newer TLS version than the client supports, the server might return a failure during the negotiation.

      In this case, WSS completes the SSL handshake on the client-side with a TLS version and cipher suite that the client supports. This is required so WSS can return a Response Page to the client. This page provides information about the connection failure. 

Note:

  • Security scanning tools might report a successful connection with the weaker TLS version or cipher suite as a vulnerability. However, this is a false positive because the connection is only used to determine and return user-readable error text. The weaker TLS version and cipher suite are never used to send any information from WSS to the origin server.

  • Full support for TLSv1.3 interception is planned for an upcoming WSS update.

Universal Policy Enforcement (UPE) behavior

If your WSS is deployed in UPE mode (you use Management Center to administer the same policy on the ProxySG appliance and WSS), you can modify policy to allow or block traffic based on negotiated TLS version and cipher suite. 

Additional Information

See WSS Reference: Supported Cipher Suites (Datapath).