Mitigating TLS 1.3 unsupported errors in SSL Visibility Session logs.
Article ID: 270553
Updated On:
Products
SV-1800
SV-2800
SV-3800
SV-800
SV-S550
Issue/Introduction
TLS1.3 unsupported errors within the SSLv Session logs can be misleading. The SSLv Appliances support TLS 1.3 decryption, however, certain configuration parameters will need to be made if there are no TLS 1.2 certificates in the certificate cache to verify TLS 1.3 flows.
Cause
Certificates are cached and used independently of the protocol version of the session on which they were observed. For example, a certificate seen on a TLS 1.2 session may be used to evaluate policy on a TLS 1.3 session.
Certificate information is needed to do a domain-name based cut through, which the SSLV cannot see until it mediates the TLS 1.3 session, it can only see the CH information. Once a session is mediated it cannot be cut, only dropped or rejected. That is why this falls under unsupported sessions. By the time we have collected all info for a domain cut, we can't cut because we are in the session. True TLS 1.3 flows would be cut unsupported because we cannot identify the certificate.
By adding a trigger rule on a domain or known certificate and key in the client hello, you can manipulate the policy to utilize an "observe" on an flow, instead of mediated. This will allow for the flow to then utilize the Inspection services rule for a known certificate and key, which will decrypt the TLS 1.3 flow without having the certificate in the known certificate cache.
This would require you to have an additional rule, with the domain in it, which will flag it to observe. After it is flagged as observe it will then hit the known certificate and key rule, which will then force it to utilize the Inspection services.
Resolution
Create a new rule with the match criteria set to be an IP or a domain.
Feedback
Yes
No
Powered by
