Sites that are only supporting TLS1.3 is not working through the proxy, and connection is failing if Protocol detection is enabled on the explicit HTTP service, and these sites are fully SSL intercepted.
Release : 7.3
Component :
This is observed in SGOS 7.3, and on the packet capture obtained from the proxy, the proxy is always trying to communicate with the server using TLS1.2, and then the connection will drop, as these URL's only support TLS1.3
From the SSL debug logs , can be found at https://proxyip:8082/sslproxy/debug, the below message can be observed for these connections:
SSLW 10676AA9C10 (4D000533): Disabling upstream h2 and TLS 1.3 because ADN is enabled.(Transaction UUID - 3c1af37a4ed2f542-000000000b9e7e6c-0000000062a9c149
This is an indication that in case ADN "Application delivery network" option is enabled on the explicit HTTP server, the proxy will not try to initiate TLS1.3 with the server, and will try to downgrade the connection to TLS1.2, and this will break connections with server only supporting TLS1.3
Disabling ADN in the explicit service will fix this issue, and proxy will negotiate TLS1.3 successfully upstream