Mitigating TLS 1.3 unsupported errors in SSL Visibility Session logs.
search cancel

Mitigating TLS 1.3 unsupported errors in SSL Visibility Session logs.


Article ID: 270553


Updated On:


SV-1800 SV-2800 SV-3800 SV-800 SV-S550


TLS1.3 unsupported errors within the SSLv Session logs can be misleading.  The SSLv Appliances support TLS 1.3 decryption, however, certain configuration parameters will need to be made if there are no TLS 1.2 certificates in the certificate cache to verify  TLS 1.3 flows.


Certificates are cached and used independently of the protocol version of the session on which they were observed. For example, a certificate seen on a TLS 1.2 session may be used to evaluate policy on a TLS 1.3 session.
As the TLS 1.3 protocol encrypts certificates rendering them unavailable in cut through flows, it is not possible to validate that the certificate used in the flow matches the certificate returned by the Learned Certificate Cache.  T
Certificate information is needed to do a domain-name based cut through, which the SSLV cannot see until it mediates the TLS 1.3 session, it can only see the CH information.  Once a session is mediated it cannot be cut, only dropped or rejected.  That is why this falls under unsupported sessions.  By the time we have collected all info for a domain cut, we can't cut because we are in the session.  True TLS 1.3 flows would be cut unsupported because we cannot identify the certificate.
By adding a trigger rule on a domain or known certificate and key in the client hello, you can manipulate the policy to utilize an "observe" on an flow, instead of mediated.  This will allow for the flow to then utilize the Inspection services rule for a known certificate and key, which will decrypt the TLS 1.3 flow without having the certificate in the known certificate cache.
This would require you to have an additional rule, with the domain in it, which will flag it to observe.  After it is flagged as observe it will then hit the known certificate and key rule, which will then force it to utilize the Inspection services.


Create a new rule with the match criteria set to be an IP or a domain.