So I think the "TLS 1.3 downgrade hardening bypass" is breaking with FortiOS 5.6.x Deep inspection, even if a url is on the SSL inspection exception list.
https://www.chromestatus....ature/5128354539765760
Question: Is there a build of 5.6.x that has good TLS 1.3 deep inspection support? I am currently on FortiOS v5.6.9 build1673, and am trying to determine if upgrading to 5.6.12 would help or hurt.
Thanks!
-Neil
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I heard they started fully supporting TLS 1.3 with 6.2.
https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you.html
I'm not sure if they would implement the same even to 6.0.
Based on googles current chromium schedule, the v80 code line goes live in Feb 2020...
https://www.chromium.org/developers/calendar
https://chromiumdash.appspot.com/schedule
How are people not freaking out about this not working pre-6.2?
From the linked Fortinet blog:
"The latest version of FortiOS 6.0 not only fully supports TLS 1.2 MITM, but it also does not break TLS 1.3 when it has to negotiate down to TLS 1.2."
which implies that 6.0.8 fully supports the sanctioned downgrade methods as described in https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html.
From https://support.google.com/chrome/a/answer/7679408?hl=en in the section on TLS 1.3 hardening measure implemented in Chrome 81:
"This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2."
so I *think* we won't be broken on 6.0.x, though I would certainly rather have full TLS 1.3 support on 6.0.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.