Operational Defect Database
BugZero found this defect 2623 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3UVSAY
Connections using TLS 1.3 fail when 'Allow Only SSL Compliant Traffic' is enabled in HTTPS proxy
Last update date:
3/14/2017
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
11.10.7
Fixed releases:
All
Description:
Issue
Both Mozilla Firefox 49+ and Google Chrome 56+ allow users to manually enable TLS 1.3 support in their browser configurations. When TLS 1.3 support is manually enabled in the browser, connections through the HTTPS proxy will fail if Content Inspection is disabled and the option Allow Only SSL Compliant Traffic is enabled. Firefox displays the error code: SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATAChrome displays the error code: SSL_VERSION_INTERFERENCEConnections will succeed using TLS 1.3 through the HTTPS proxy if Content Inspection is disabled and the option Allow Only SSL Compliant Traffic is disabled.Connections will also succeed, but are downgraded to use TLS 1.2 through the HTTPS proxy if Content Inspection is enabled.
Workaround/Solution
To avoid this issue, you must either disable TLS 1.3 support in your browser, or use an HTTPS proxy with the Allow Only SSL Compliant Traffic option disabled.
