02-26-2019 05:38 AM
I know I am late in posting about tls1.3.
I have my permiter 5020s doing inbound and outbound ssl decryption. I'm currently on 8.0.13 and never had any issues. with tls1.3 coming this March, should I fear of breaking ssl connections and upgrade to later version soon? if so, what is the recommended OS?
thanks.
02-26-2019 05:49 AM
@Abdul_Razaq thank you but I have seen the article before. I am looking for some responses from experienced users who has decryption enabled on their firewalls. also, support engineer asked me to wait few weeks until the recommended version sinks in.
02-26-2019 05:50 AM
@SThatipelly wrote:...with tls1.3 coming this March, should I fear of breaking ssl connections and upgrade to later version soon? if so, what is the recommended OS?
thanks.
Yes and no. This will only be a problem for websites that are using the TLS1.3 protocol and if the browser (it should) supports it.
So if you do not upgrade your FW to the current supported version of the protocol then sites which leverage the protocol will be inaccessible by your users.
Note -- This only means the FW will properly negotiate the handling of the protocol, not allow you to decrypt the TLS1.3 session.
02-26-2019 05:53 AM
@SThatipelly wrote:@Abdul_Razaq thank you but I have seen the article before. I am looking for some responses from experienced users who has decryption enabled on their firewalls. also, support engineer asked me to wait few weeks until the recommended version sinks in.
<-- Experienced user / admin here...We upgraded to 8.0.14 a while ago. I highly suggest upgrading to 8.0.14/15 to get this support. Your users will make it mandatory by reporting issues if you don't.
02-26-2019 05:53 AM
thank you for the response. do we know if huge portion of internet is going to move to tls1.3 at this moment? and do we know of any site that has already migrated to it so I can test it before upgrade?
thanks.
02-26-2019 06:40 AM
@SThatipelly wrote:thank you for the response. do we know if huge portion of internet is going to move to tls1.3 at this moment?
thanks.
https://www.sandvine.com/blog/global-internet-phenomena-tls-1.3-adoption-facebook-leads-the-way
Looks like .026% are using TLS1.3.
I know Talos uses TLS 1.3 -- https://www.talosintelligence.com/
02-26-2019 07:18 AM
surprisingly, I am able to access while my firewall is decrypting traffic to both those sites. I am on 80.13
02-26-2019 07:33 AM
Likely due to the browser you are using; Google Chrome, Mozilla Firefox, Microsoft Edge, and Internet Explorer all handle TLS 1.3 downgrade very differently.
I know that Google has made some modifications since the notice was published that plays nicer with MitM decryption and allowing a downgrade to TLS 1.2; however I wouldn't want to rely on this as Google is actively playing around with the default settings between versions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
