Technical Tip: TLS 1.3 support
Description
This article explains TLS 1.3 proxy support.
Scope
For version 6.2.1
Solution
TLS 1.3 is now supported in proxy mode.
To add TLS 1.3 to a SSL server profile use the following command from the CLI:
This article explains TLS 1.3 proxy support.
Scope
For version 6.2.1
Solution
TLS 1.3 is now supported in proxy mode.
To add TLS 1.3 to a SSL server profile use the following command from the CLI:
# config firewall ssl-serverTo add TLS 1.3 to a virtual server profile use the following command from the CLI:
edit "1"
set ip 172.16.200.99
set port 443
set ssl-mode half
set add-header-x-forwarded-proto enable
set url-rewrite disable
set mapped-port 80
set ssl-cert "Fortinet_CA_SSL"
set ssl-dh-bits 2048
set ssl-algorithm high
set ssl-client-renegotiation allow
set ssl-min-version tls-1.3 <----- Add tls 1.3.
set ssl-max-version tls-1.3 <----- Add tls 1.3.
set ssl-send-empty-frags enable
next
end
# config firewall vip
edit "1"
set id 0
set uuid ba50ae56-8c64-51e9-956c-860a475e69c5
set comment ''
set type server-load-balance
set extip 0.0.0.0
set extintf ''
set arp-reply enable
set server-type https
set nat-source-vip disable
set gratuitous-arp-interval 0
set http-ip-header disable
set ssl-client-rekey-count 0
set ssl-hpkp disable
set ssl-hsts disable
set color 0
set ldb-method static
set persistence none
set extport 443
set http-multiplex disable
set outlook-web-access disable
set weblogic-server disable
set websphere-server disable
set ssl-mode half
set ssl-certificate ''
set ssl-dh-bits 2048
set ssl-algorithm high
set ssl-pfs require
set ssl-min-version tls-1.3 <----- Add tls 1.3.
set ssl-max-version tls-1.3 <----- Add tls 1.3.
set ssl-send-empty-frags enable
set ssl-client-fallback enable
set ssl-client-renegotiation secure
set ssl-client-session-state-type both
set ssl-client-session-state-timeout 30
set ssl-client-session-state-max 1000
set ssl-http-location-conversion disable
set max-embryonic-connections 1000
next
end