Re: FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized - Page 3

Jon Are Endrerud · ‎04-24-2024

Hello

We have a lot of clients getting the following error when contacting diffrent sites: ERR_SSL_PROTOCOL_ERROR, we have read that SonicWall and Palo Alto also have these problemes. Solution is to turn off "TLS 1.3 Hybridized Kyber Support" in chromium web browser, and/or I have tried to disable all SSL and "Early application detection and URL categorization" for 1.3 in FirePower.

We are using fw: 7.2.5, have created a TAC case and are waiting for answer.

Anybody else getting this ?

Regards

J.

Please rate as helpful, if that would be the case. Thanx

rpinasar · ‎05-09-2024

TLS 1.3 Hybridized Kyber Support Issue Affecting Browser Connections.

As many of you may have AnyConnect cases with a screenshot like the following. Complaining of SSL_Protocol_Errors. And a recent issue that has been identified with the latest Chromium update, which may be affecting your browser connections, particularly those involving Secure Assertion Markup Language (SAML) authentication and Cisco AnyConnect.

The root of the problem lies in the new feature implemented in Chromium Version 124, namely the support for TLS 1.3 hybridized with Kyber, which unfortunately disrupts the TLSv1.2 Handshake process. This issue primarily impacts users of Chrome and Edge browsers, where the error displayed is ERR_SSL_PROTOCOL. It is important to note that browsers not based on Chromium, such as Firefox and Safari, remain unaffected.

To resolve this issue for Chrome and Edge users, you can disable the TLS 1.3 hybridized Kyber support by following these steps:

Navigate to the browser's experimental features page:

For Edge: edge://flags/#enable-tls13-kyber

For Chrome: chrome://flags/#enable-tls13-kyber

Set the feature to 'Disabled.'

After making this change, the connection issues with the browser should be resolved.

However, if the problem persists with AnyConnect connections, this may be due to the fact that AnyConnect uses Webview2 Runtime, which does not recognize the flag adjustments made previously. To address this, you will need to create a specific registry value via PowerShell as an Administrator:

For AnyConnect with VPN 4.x:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility" /v UseLegacyEmbeddedBrowser /t REG_DWORD /d 1 /f

For Cisco Secure Client with VPN 5.x:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco Secure Client" /v UseLegacyEmbeddedBrowser /t REG_DWORD /d 1 /f

This action instructs AnyConnect to utilize the Legacy Browser (Internet Explorer) in place of Edge, which should restore your connection.

We are aware that the update to Chromium-based browsers has been intended to introduce stronger security via TLS 1.3 post-quantum cryptography. However, making TLS1.3 Hybridized Kyber support the default has inadvertently caused disruptions in browser-client interactions.

As an alternative, some users are opting to manually downgrade Webview2 or revert to using the legacy browser. It is also possible to download an earlier version of Webview2 for use with the embedded browser should that be necessary.

srajiwate · ‎05-15-2024

I was having same problem but only for the traffic which was passing through ipsec tunnel to fix that i reduced firewall interface MTU to 1376 as a adjusted mss

-Tobi- · ‎08-15-2024

Will there be a fixed version for FTD too? In the bug (CSCwj82736) details there are only asa releases listed?

patoberli · ‎08-18-2024

There is this bug fixed in 7.4.2: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj85333

Might be the same issue (Kyber).

FTD's - Firepower dropping HTTPS traffic using TLS 1.3 Hybridized Kybe