Guest

Preview Tool

Cisco Bug: CSCvj93913 - SSL Inspection TLS 1.3 downgrade needs to modify client/server random values to be RFC compliant

Last Modified

Apr 14, 2020

Products (32)

  • Cisco Firepower Management Center
  • Cisco FirePOWER Appliance 8120
  • Cisco FirePOWER Appliance 7050
  • Cisco FirePOWER Appliance 8360
  • Cisco Firepower Management Center 2500
  • Cisco FirePOWER Appliance 8260
  • Cisco FirePOWER Appliance 8130
  • Cisco AMP 8150
  • Cisco FirePOWER Appliance 8350
  • Cisco AMP 7150
View all products in Bug Search Tool Login Required

Known Affected Releases

6.1.0 6.2.0 6.2.2 6.2.3

Description (partial)

Symptom:
When the TLS 1.3 protocol is enabled on TLS clients and servers, the system must downgrade the TLS session to TLS 1.2 when SSL inspection is enabled. Otherwise, TLS connections fail.

SSL inspection was modified to enable the TLS downgrade in earlier defect fixes, and this change worked for the TLS 1.3 implementations that were available at the time the change was made.

However, the original downgrade implementation was not fully RFC compliant. This defect covers modifying the TLS client and server random values so that the downgrade complies with the RFC.

Conditions:
An SSL inspection policy is enabled on managed devices.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.