Solved: URL Filtering with TLS 1.3

david.campeau · ‎07-25-2018

With forward secrecy in TLS 1.3, how is the FMC/FTD going to handle TLS 1.3 specifically with URL filtering? This is just around the corner, so I was wondering if there were any work-arounds as the FTD will not be able to pull the certificate from the TLS handshake to determine domains.

aaron.hackney · ‎07-25-2018

Hi David,

You will need to terminate the SSL connections at the FTD and do full man-in-the-middle SSL proxy. I believe that the Firepower teams are working on adding TLS 1.3 draft 28 support to future releases.

I have done a short write up on URL filtering and TLS 1.3 here if you are interested: https://hacksbrain.com/2018/07/25/tls-1-3-ramifications/

Hope that helps!

-A

View solution in original post

aaron.hackney · ‎07-25-2018

Hi David,

You will need to terminate the SSL connections at the FTD and do full man-in-the-middle SSL proxy. I believe that the Firepower teams are working on adding TLS 1.3 draft 28 support to future releases.

I have done a short write up on URL filtering and TLS 1.3 here if you are interested: https://hacksbrain.com/2018/07/25/tls-1-3-ramifications/

Hope that helps!

-A

david.campeau · ‎07-26-2018

Good information as well as a good write up -- Thanks for the info.