cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TLS 1.3 support

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Jan_Linhart
L2 Linker
‎02-25-2019 12:13 PM
‎02-25-2019 12:13 PM

TLS 1.3 support

Hi everybody,

any news regarding change of decryption from passive to proxy mode to support TLS 1.3 decryption?

Thank you,

Jan

0 Likes
Reply
Abdul_Razaq
L4 Transporter
‎02-25-2019 11:40 PM
‎02-25-2019 11:40 PM

Hi @Jan_Linhart ,

 

Is below document addresses your query?

https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-required-if-you-have-enabled-SSL-dec...

 

Added to above, As of my knowledge, PA will be doing proxy by default for all connections matching with forward proxy rule,

But inbound inspection is different, it was passive eveasdropping till PanOS 8.0, so if key exchange is DH/ECDH, the decryption fails before 8.0. But after 8.0 they changed the behaviour, so that PA will be active in MITM. if key exchange is RSA, PA wont be proxying the connection, but if key exchange is DH/ECDH, PA will involk the proxy module. 

0 Likes
Reply
Jan_Linhart
L2 Linker
‎02-26-2019 01:05 AM
‎02-26-2019 01:05 AM

Hi Abdul,

unfortunately, there is no answer for my question. PAN-OS has support for TLS1.3 now, but not support for decryption.

Please look at this link:

https://blog.gigamon.com/2018/05/10/tls-1-3-is-moving-forward-what-you-need-to-know-today-to-get-rea...

 

Most important part is:

With TLS 1.3, this passive mode decryption (the one PANW is using - transparent for clients) will no longer be possible since the RSA key exchange has been removed. 

 

Jan

0 Likes
Reply
Abdul_Razaq
L4 Transporter
‎02-26-2019 05:13 AM
‎02-26-2019 05:13 AM

Hi @Jan_Linhart ,

 

PA is doing proxy for DH/ECDH key exchange now also. so if you have a PanOS version supports TLS 1.3, things should work i feel. 

 

Do you have a trustable source which says 'Pan OS wont support decryption for TLS 1.3' ?.

0 Likes
Reply
Chacko42
L4 Transporter
‎02-26-2019 05:24 AM
‎02-26-2019 05:24 AM

23.10.2018:

 

Dear valued Palo Alto Networks customer,

 

Please take the action recommended below if you have enabled SSL decryption forward proxy. This is required for users to access Gmail and other websites and applications using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 72. The stable build of Google Chrome version 72 may be available in January 2019, and if your users use a pre-stable build of Google Chrome, they will experience the issue outlined below earlier.

 

Applies to

All supported PAN-OS releases

 

Action Required

If you run PAN-OS 8.1:

  • Upgrade to PAN-OS 8.1.4 (available now)
Best Regards
Chacko
0 Likes
Reply
Brandon_Wertz
Cyber Elite
Cyber Elite
‎02-26-2019 05:39 AM
‎02-26-2019 05:39 AM

@Abdul_Razaq @Chacko42  I think what @Jan_Linhart  is asking is not so much about the ability for PAN-OS to just merely support the protocol, but rather the ability to actually DECRYPT the TLS1.3 session.

 

I think that it something that is being targeted for PAN-OS 9.1, but who knows if it'll actually make it in the release...

 

BTW this is another reason I bet Palo came out with the X2XX hardware.  I doubt the legacy HW would have been able to handle TLS1.3 decryption.

0 Likes
Reply
Brandon_Wertz
Cyber Elite
Cyber Elite
‎02-26-2019 05:43 AM
‎02-26-2019 05:43 AM

@Abdul_Razaq wrote:

Hi @Jan_Linhart ,

 

 

Do you have a trustable source which says 'Pan OS wont support decryption for TLS 1.3' ?.

 

 

Yeah PAN-OS software itself.

 

Decrypt.png

Reply
BPry
Cyber Elite
Cyber Elite
‎02-26-2019 07:30 AM
‎02-26-2019 07:30 AM

So it's important to note here the difference between supporting the protocol and actively being able to decrypt TLS 1.3.

  • Palo Alto has now added support for TLS1.3 and has made the required changes so that the firewall will no-longer attempt to decrypt TLS 1.3 traffic, which was causing issues for customers with decryption enabled running PAN-OS versions prior to 8.0.14 in the 8.0 code branch or 8.1.4 in the 8.1 code branch.
  •  Palo Alto can't actually decrypt TLS1.3 traffic just yet and as @Brandon_Wertz mentioned it's something being targeted for a future update. Whether or not it actually makes it into 9.1 or not we'll have to wait and see. 
Reply
Jan_Linhart
L2 Linker
‎02-26-2019 12:14 PM
‎02-26-2019 12:14 PM

Hi guys, 

as you wrote before - I'm aware of protocol support, but I was asking about plans for decryption support. It is not going to be easy at all and PANW will have to completely change decryption concept from "passive" to real proxy.

 

Jan

0 Likes
Reply
Sec101
L4 Transporter
‎07-08-2019 07:02 AM
‎07-08-2019 07:02 AM

ok, so did this one ever get answered?

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks