For Chrome users:
TLS 1.3 can be disabled by accessing URL “chrome://flags/#ssl-version-max”, changing the setting from “Default” to “TLS 1.2”, and then relaunching Chrome. The below image shows the configuration set to TLS 1.2:
(Note: A recent update changed Chrome to not use TLS 1.3 by default. This change was to help mitigate issues seen in the field.)
For FireFox users:
TLS 1.3 can be disabled by accessing URL “about:config”, search for security.tls.version.max, change it from “4”, which is TLS 1.3, to “3”, which is TLS 1.2, and restart the browser. The below image shows the the configuration set to “3”, which is TLS 1.2:
How to confirm if TLS 1.3 is supported by a browser:
SSL Labs provides a URL which will test and report the TLS versions supported by the browser requesting the URL. That URL is:
https://www.ssllabs.com/ssltest/viewMyClient.html. The following screen shots show the results of the above URL on FireFox 52 with its default configuration:
And after following the steps above to disable TLS 1.3 support:
Work around on the ProxySG or ASG:
For explicit deployments policy can be added to disable protocol detection for any impacted website. The following knowledge base article describes how this is done in policy:
http://bluecoat.force.com/knowledgebase/articles/Solution/SSL-interception-prevents-device-from-connecting-out-on-port-443. For transparent deployments a TCP-Tunnel service will need to be created that includes the affected destination IPs. The following knowledge base article describes how this is done in proxy services:
http://bluecoat.force.com/knowledgebase/articles/Solution/000029291