We recently upgraded our Sophos XGS 4300 to SFOS v21. Since then, we are finding that a number of our users were receieving connection reset messages in their browser (Edge and Chrome) when attempting to access some websites with transparent TLS decryption enabled.
The error is: Dropped due to TLS engine error: FLOW_TIMEOUT[5]
Example websites we receive the error in are: www.theage.com.au www.news.com.au
The issue occurs regardless of if the site is available over TLSv1.2 or TLSv1.3 and regardless of the cipher suite being used.
Upon further investigation, we've found that the issue appears to relate to the PostQuantumKeyAgreementEnabled policy in Edge and Chrome.
Acocrding to the Edge policy docs, the policy:
"Offering a post-quantum key agreement is backwards-compatible. Existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options.
However, devices that don't implement TLS correctly may malfunction when offered the new option. For example, they might disconnect in response to unrecognized options or the resulting larger messages. These devices are not post-quantum-ready and will interfere with an enterprise's post-quantum transition. If this issue is encountered, administrators should contact the vendor for a fix."
We were wondering if this is a known issue with the GA release of SFOS 21 or if others are encountering the same issue?
We are using the current Edge (131.0.2903.70) and Chrome (131.0.6778.86) releases.
Edited TAGs
[edited by: Erick Jan at 3:59 AM (GMT -8) on 2 Dec 2024]