tls1.3 and required action?

Reply
Highlighted
L4 Transporter

tls1.3 and required action?

I know I am late in posting about tls1.3.

I have my permiter 5020s doing inbound and outbound ssl decryption. I'm currently on 8.0.13 and never had any issues. with tls1.3 coming this March, should I fear of breaking ssl connections and upgrade to later version soon? if so, what is the recommended OS?

 

thanks.

Tags (2)
L3 Networker
L4 Transporter

Re: tls1.3 and required action?

@Abdul_Razaq thank you but I have seen the article before. I am looking for some responses from experienced users who has decryption enabled on their firewalls. also, support engineer asked me to wait few weeks until the recommended version sinks in.

L6 Presenter

Re: tls1.3 and required action?


@SThatipelly wrote:

...with tls1.3 coming this March, should I fear of breaking ssl connections and upgrade to later version soon? if so, what is the recommended OS?

 

thanks.


 

 

Yes and no.  This will only be a problem for websites that are using the TLS1.3 protocol and if the browser (it should) supports it.

 

So if you do not upgrade your FW to the current supported version of the protocol then sites which leverage the protocol will be inaccessible by your users.  

 

Note -- This only means the FW will properly negotiate the handling of the protocol, not allow you to decrypt the TLS1.3 session.

L6 Presenter

Re: tls1.3 and required action?


@SThatipelly wrote:

@Abdul_Razaq thank you but I have seen the article before. I am looking for some responses from experienced users who has decryption enabled on their firewalls. also, support engineer asked me to wait few weeks until the recommended version sinks in.


 

<-- Experienced user / admin here...We upgraded to 8.0.14 a while ago.  I highly suggest upgrading to 8.0.14/15 to get this support.  Your users will make it mandatory by reporting issues if you don't.

L4 Transporter

Re: tls1.3 and required action?

thank you for the response. do we know if huge portion of internet is going to move to tls1.3 at this moment? and do we know of any site that has already migrated to it so I can test it before upgrade?

thanks.

L6 Presenter

Re: tls1.3 and required action?


@SThatipelly wrote:

thank you for the response. do we know if huge portion of internet is going to move to tls1.3 at this moment? 

thanks.


 

 

 

https://www.sandvine.com/blog/global-internet-phenomena-tls-1.3-adoption-facebook-leads-the-way

 

Looks like .026% are using TLS1.3.

 

 

I know Talos uses TLS 1.3 -- https://www.talosintelligence.com/ 

L4 Transporter

Re: tls1.3 and required action?

surprisingly, I am able to access while my firewall is decrypting traffic to both those sites. I am on 80.13

L7 Applicator

Re: tls1.3 and required action?

@SThatipelly,

Likely due to the browser you are using; Google Chrome, Mozilla Firefox, Microsoft Edge, and Internet Explorer all handle TLS 1.3 downgrade very differently. 

I know that Google has made some modifications since the notice was published that plays nicer with MitM decryption and allowing a downgrade to TLS 1.2; however I wouldn't want to rely on this as Google is actively playing around with the default settings between versions. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!