One reasonable thing to do when the remote peer says "I want to speak TLS 8.6" is to say "Oh, I'm afraid we only allow TLS 1.2 here" and insist on talking TLS 1.2 anyway.
But that's not what these boxes did. They go "TLS 8.6! Set Defence Condition One. Attack In Progress! Prepare For Immediate Nuclear Strike!" and they tear down the whole network connection.
They did this with every previous version of TLS. The accepted lesson at this point is that if these idiots CAN break something they will, we don't care whether it's because they're too stupid not to break it or because they're actively assholes breaking things so nobody can have nice things, it doesn't matter.
This is basically the network equivalent of that guy who just shoots anybody he doesn't recognise on his front step. We don't call that "a sane defensive measure" we call it murder, even if he thinks he was just on guard for "unanticipated behaviour" he's going to jail.
The reason for this is to prevent downgrade attacks where an attacker can perform a man-in-the-middle by forcing your client to use an insecure protocol version. It makes sense, even if it occasionally breaks websites.
Preventing downgrade attacks could be done by blacklisting known-bad versions, no?
Assuming all future versions are bad leads to situations like this, where TLS 1.3 (and presumably all future versions) have to tunnel through a pseudo-TLS 1.2 connection.
Again, assuming all future versions are bad is _fine_ if that's what you want to do.
Responding to a peer that says "I know TLS 1.3" with "Too bad, we're talking TLS 1.2" was and is entirely in obedience with the specifications. As far as I know _every_ major middlebox on the market today now does this in their latest versions, most of them advertised this as "TLS 1.3 now supported"‡
But for "security" vendors silently being secure doesn't sell products, they would rather have an alarm "TLS Protocol Attack prevented!" and block the connection. Doesn't make you any safer, but that was never their priority. It's also easier for them to do than correctly implementing the protocol.
‡ In much the same way that "HD Ready" televisions "supported" High Definition television. In that you couldn't watch HD TV on those televisions, but hey, it was "supported"... those televisions existed in the same universe where HD TV existed. Likewise, modern Cisco or Palo Alto Networks middleboxes "support" TLS 1.3 by saying they want to talk TLS 1.2 instead...
That makes no sense, you can very well just say you don't support the version instead of immediately terminating the connection. Same security but it doesn't break the protocol.
One reasonable thing to do when the remote peer says "I want to speak TLS 8.6" is to say "Oh, I'm afraid we only allow TLS 1.2 here" and insist on talking TLS 1.2 anyway.
But that's not what these boxes did. They go "TLS 8.6! Set Defence Condition One. Attack In Progress! Prepare For Immediate Nuclear Strike!" and they tear down the whole network connection.
They did this with every previous version of TLS. The accepted lesson at this point is that if these idiots CAN break something they will, we don't care whether it's because they're too stupid not to break it or because they're actively assholes breaking things so nobody can have nice things, it doesn't matter.
This is basically the network equivalent of that guy who just shoots anybody he doesn't recognise on his front step. We don't call that "a sane defensive measure" we call it murder, even if he thinks he was just on guard for "unanticipated behaviour" he's going to jail.