Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NeilG
Contributor

Anyone having connection timeout errors with deep inspection on Chromium dev?

So I think the "TLS 1.3 downgrade hardening bypass" is breaking with FortiOS 5.6.x Deep inspection, even if a url is on the SSL inspection exception list.

https://www.chromestatus....ature/5128354539765760

 

 

Question: Is there a build of 5.6.x that has good TLS 1.3 deep inspection support? I am currently on FortiOS v5.6.9 build1673, and am trying to determine if upgrading to 5.6.12 would help or hurt.

 

Thanks!

 

-Neil

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

I heard they started fully supporting TLS 1.3 with 6.2.

https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you.html

I'm not sure if they would implement the same even to 6.0.

James_G

Correct, TLS 1.3 is a fortios 6.2 and higher feature. It is the feature that I feel will make many people eventually upgrade to 6.2.x.
NeilG

Based on googles current chromium schedule, the v80 code line goes live in Feb 2020... 

 

https://www.chromium.org/developers/calendar

https://chromiumdash.appspot.com/schedule

 

How are people not freaking out about this not working pre-6.2?

 

 

tanr
Valued Contributor II

From the linked Fortinet blog:

 

    "The latest version of FortiOS 6.0 not only fully supports TLS 1.2 MITM, but it also does not break TLS 1.3 when it has to negotiate down to TLS 1.2."

 

which implies that 6.0.8 fully supports the sanctioned downgrade methods as described in https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html.  

 

From https://support.google.com/chrome/a/answer/7679408?hl=en in the section on TLS 1.3 hardening measure implemented in Chrome 81:

 

    "This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2."

 

so I *think* we won't be broken on 6.0.x, though I would certainly rather have full TLS 1.3 support on 6.0.

Labels
Top Kudoed Authors