ProxySG, ASG and WSS will interrupt SSL connections when clients using TLS 1.3 access sites also using TLS 1.3

<< Back to Knowledge Search

Technical Alert

Affected Products
ProxySG 6.5.9.x or earlier releases
ASG or earlier releases
ProxySG or earlier releases
WSS (Web Security Service) prior to Mar 4, 2017
Symantec was alerted to an interoperability issue between Symantec WSS, ProxySG and ASG products and TLS 1.3 in certain configurations. Google recently enabled field trial support for TLS 1.3, in Chrome Browser and ChromeOS 56 while accessing select Google servers. Users of Symantec ProxySG, other proxy and filtering solutions may see a connection issues as a result. Clients that enable TLS 1.3, (Chrome 56, FireFox 52) and access TLS 1.3 enabled servers, may experience SSL connection failures when going through ProxySG, WSS or ASG.
Fixes for TLS 1.3 interoperability are complete and included in the releases listed in the Resolution section.
Below is the list of releases and their release schedules that include fixes for TLS 1.3 interoperability. Symantec recommends that customers upgrade to these or later releases to avoid the issue.

Note: The Fix for the Web Security Service (WSS) was rolled out on March 4, 2017.

For the other products, the fix will be included in all future SW versions starting with:
  • SG was released on May 16, 2017
  • SG was released on Mar 16, 2017
  • ASG was released on Apr 7, 2017
  • SG was released on Mar 21, 2017
For Chrome users:
TLS 1.3 can be disabled by accessing URL “chrome://flags/#ssl-version-max”, changing the setting from “Default” to “TLS 1.2”, and then relaunching Chrome. The below image shows the configuration set to TLS 1.2:
User-added image
(Note: A recent update changed Chrome to not use TLS 1.3 by default. This change was to help mitigate issues seen in the field.)

For FireFox users:
TLS 1.3 can be disabled by accessing URL “about:config”, search for security.tls.version.max, change it from “4”, which is TLS 1.3, to “3”, which is TLS 1.2, and restart the browser. The below image shows the the configuration set to “3”, which is TLS 1.2:
User-added image

How to confirm if TLS 1.3 is supported by a browser:
SSL Labs provides a URL which will test and report the TLS versions supported by the browser requesting the URL. That URL is: The following screen shots show the results of the above URL on FireFox 52 with its default configuration:
User-added image
And after following the steps above to disable TLS 1.3 support:
User-added image

Work around on the ProxySG or ASG:
For explicit deployments policy can be added to disable protocol detection for any impacted website. The following knowledge base article describes how this is done in policy:  For transparent deployments a TCP-Tunnel service will need to be created that includes the affected destination IPs. The following knowledge base article describes how this is done in proxy services:
Bug Number
6.6.x.x - Bug # 244389
6.5.x.x - Bug # 244448
InQuira Doc Id

Article Feedback

Hide Properties
First Published      03/14/2017
Last Modified      05/16/2017
Last Published      05/16/2017
Article Audience
Product      Advanced Secure Gateway, ProxySG, Web Security Service
Software      ASG 6.6, SGOS 6
Topic      SSL / HTTPS, Usability
Article Number      000032878
Summary      The following behaviors are observed when this issue occurs: SSL connections will be interrupted when clients that default to TLS 1.3 access TLS1.3 sites, if ProxySG or ASG has protocol detection, SSL Proxy service or SSL interception enabled or the connections are sent to WSS.
Was this helpful?
Previous MonthNext Month