tls1.3 and required action?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

tls1.3 and required action?

L4 Transporter

I know I am late in posting about tls1.3.

I have my permiter 5020s doing inbound and outbound ssl decryption. I'm currently on 8.0.13 and never had any issues. with tls1.3 coming this March, should I fear of breaking ssl connections and upgrade to later version soon? if so, what is the recommended OS?

 

thanks.

8 REPLIES 8

@Abdul_Razaq thank you but I have seen the article before. I am looking for some responses from experienced users who has decryption enabled on their firewalls. also, support engineer asked me to wait few weeks until the recommended version sinks in.

L6 Presenter

@SThatipelly wrote:

...with tls1.3 coming this March, should I fear of breaking ssl connections and upgrade to later version soon? if so, what is the recommended OS?

 

thanks.


 

 

Yes and no.  This will only be a problem for websites that are using the TLS1.3 protocol and if the browser (it should) supports it.

 

So if you do not upgrade your FW to the current supported version of the protocol then sites which leverage the protocol will be inaccessible by your users.  

 

Note -- This only means the FW will properly negotiate the handling of the protocol, not allow you to decrypt the TLS1.3 session.


@SThatipelly wrote:

@Abdul_Razaq thank you but I have seen the article before. I am looking for some responses from experienced users who has decryption enabled on their firewalls. also, support engineer asked me to wait few weeks until the recommended version sinks in.


 

<-- Experienced user / admin here...We upgraded to 8.0.14 a while ago.  I highly suggest upgrading to 8.0.14/15 to get this support.  Your users will make it mandatory by reporting issues if you don't.

thank you for the response. do we know if huge portion of internet is going to move to tls1.3 at this moment? and do we know of any site that has already migrated to it so I can test it before upgrade?

thanks.


@SThatipelly wrote:

thank you for the response. do we know if huge portion of internet is going to move to tls1.3 at this moment? 

thanks.


 

 

 

https://www.sandvine.com/blog/global-internet-phenomena-tls-1.3-adoption-facebook-leads-the-way

 

Looks like .026% are using TLS1.3.

 

 

I know Talos uses TLS 1.3 -- https://www.talosintelligence.com/ 

surprisingly, I am able to access while my firewall is decrypting traffic to both those sites. I am on 80.13

@SThatipelly,

Likely due to the browser you are using; Google Chrome, Mozilla Firefox, Microsoft Edge, and Internet Explorer all handle TLS 1.3 downgrade very differently. 

I know that Google has made some modifications since the notice was published that plays nicer with MitM decryption and allowing a downgrade to TLS 1.2; however I wouldn't want to rely on this as Google is actively playing around with the default settings between versions. 

  • 7744 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!