Symptom
getting connection events for TLS 1.3 flows that should match a decrypt resign rule in decryption policy that have "Do Not Decrypt (Unsupported Cipher Suite)"
Conditions
flow through the device is a TLS 1.3 and contain ONLY TLS1.3 ciphers and matches a decrypt resign rule.
Using snort3 with "Enable TLS 1.3 Decryption" option disabled (default setting)
Workaround
Enable "Enable TLS 1.3 Decryption" option in the Advanced settings of the decryption (SSL) policy.
Further Problem Description
This bug is to improve the serviceability around "Unsupported Cipher Suite" due to TLS1.3 only ciphers when TLS1.3 support is not enabled.
You can check what ciphers are supported via the following CLISH command (run from the FTD CLI):
system support ssl-hw-supported-ciphers
When TLS 1.3 support is enabled you will see TLS1.3 ciphers, i.e.:
CID Cipher Suite Name FIPS Approved
---------------------------------------------------------------------
0x1302 TLS_AES_256_GCM_SHA384 Yes
0x1301 TLS_AES_128_GCM_SHA256 Yes
...
But when TLS1.3 support is disabled you will not see the TLS1.3 ciphers. It is not obvious from debugs or connection events how to fix this problem. this bug is a request to improve debug logs to help determine this.
