Middlebox Compatibility with TLS v1.3

Connections between a server and client that both support TLS v1.3 can fail if other network infrastructure called middleboxes are not compatible with the protocol and prevent the connection from occurring.

Examples of middleboxes that can cause this problem include network routers and network switches with ISO Level 2/3 routing functionality. They typically recognise TLS v1.3 exchanges as corrupted packets of earlier versions of TLS protocols and discard them.

To work around this issue, extra Change Cipher Spec (CCS) messages can be sent by TLS v1.3 exchanges to make them look like TLS v1.2. These messages are not required to support TLS v1.3 content exchanges and are an inefficient use of both processing time and network traffic capacity.

The workaround is in place for all default installations to provide the widest network compatibility. If your network infrastructure is of a sufficient standard that does not require the extra CCS messages then you can turn them off to reduce traffic and time during connections.

To avoid sending the unnecessary CCS packets during negotiation exchanges, Micro Focus provides the ability to toggle the use of an application configuration option.