07-25-2018 12:18 PM - edited 03-12-2019 06:50 AM
With forward secrecy in TLS 1.3, how is the FMC/FTD going to handle TLS 1.3 specifically with URL filtering? This is just around the corner, so I was wondering if there were any work-arounds as the FTD will not be able to pull the certificate from the TLS handshake to determine domains.
Solved! Go to Solution.
07-25-2018 02:59 PM - edited 07-25-2018 04:53 PM
Hi David,
You will need to terminate the SSL connections at the FTD and do full man-in-the-middle SSL proxy. I believe that the Firepower teams are working on adding TLS 1.3 draft 28 support to future releases.
I have done a short write up on URL filtering and TLS 1.3 here if you are interested: https://hacksbrain.com/2018/07/25/tls-1-3-ramifications/
Hope that helps!
-A
07-25-2018 02:59 PM - edited 07-25-2018 04:53 PM
Hi David,
You will need to terminate the SSL connections at the FTD and do full man-in-the-middle SSL proxy. I believe that the Firepower teams are working on adding TLS 1.3 draft 28 support to future releases.
I have done a short write up on URL filtering and TLS 1.3 here if you are interested: https://hacksbrain.com/2018/07/25/tls-1-3-ramifications/
Hope that helps!
-A
07-26-2018 05:14 AM
Good information as well as a good write up -- Thanks for the info.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide