- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone having connection timeout errors with deep inspection on Chromium dev?
So I think the "TLS 1.3 downgrade hardening bypass" is breaking with FortiOS 5.6.x Deep inspection, even if a url is on the SSL inspection exception list.
https://www.chromestatus....ature/5128354539765760
Question: Is there a build of 5.6.x that has good TLS 1.3 deep inspection support? I am currently on FortiOS v5.6.9 build1673, and am trying to determine if upgrading to 5.6.12 would help or hurt.
Thanks!
-Neil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I heard they started fully supporting TLS 1.3 with 6.2.
https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you.html
I'm not sure if they would implement the same even to 6.0.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on googles current chromium schedule, the v80 code line goes live in Feb 2020...
https://www.chromium.org/developers/calendar
https://chromiumdash.appspot.com/schedule
How are people not freaking out about this not working pre-6.2?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the linked Fortinet blog:
"The latest version of FortiOS 6.0 not only fully supports TLS 1.2 MITM, but it also does not break TLS 1.3 when it has to negotiate down to TLS 1.2."
which implies that 6.0.8 fully supports the sanctioned downgrade methods as described in https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html.
From https://support.google.com/chrome/a/answer/7679408?hl=en in the section on TLS 1.3 hardening measure implemented in Chrome 81:
"This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2."
so I *think* we won't be broken on 6.0.x, though I would certainly rather have full TLS 1.3 support on 6.0.