Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Anyone having connection timeout errors with deep inspection on Chromium dev?

So I think the "TLS 1.3 downgrade hardening bypass" is breaking with FortiOS 5.6.x Deep inspection, even if a url is on the SSL inspection exception list.




Question: Is there a build of 5.6.x that has good TLS 1.3 deep inspection support? I am currently on FortiOS v5.6.9 build1673, and am trying to determine if upgrading to 5.6.12 would help or hurt.






I heard they started fully supporting TLS 1.3 with 6.2.

I'm not sure if they would implement the same even to 6.0.


Correct, TLS 1.3 is a fortios 6.2 and higher feature. It is the feature that I feel will make many people eventually upgrade to 6.2.x.

Based on googles current chromium schedule, the v80 code line goes live in Feb 2020...


How are people not freaking out about this not working pre-6.2?



Valued Contributor II

From the linked Fortinet blog:


    "The latest version of FortiOS 6.0 not only fully supports TLS 1.2 MITM, but it also does not break TLS 1.3 when it has to negotiate down to TLS 1.2."


which implies that 6.0.8 fully supports the sanctioned downgrade methods as described in  


From in the section on TLS 1.3 hardening measure implemented in Chrome 81:


    "This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2."


so I *think* we won't be broken on 6.0.x, though I would certainly rather have full TLS 1.3 support on 6.0.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors