Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS 1.3 It has been in the work for four years. Knowing that TLS 1.2 have been implemented only recently on selected products (for those who figured how), when can we expect it will be implemented on XG and other products ?

TLS 1.3  It has been in the work for four years.  Final approval happened last week.

Knowing that TLS 1.2 have been implemented only recently on selected products (for those who figured how), when can we expect it will be implemented on XG and other products ? In 2028 ?

Paul Jr



This thread was automatically locked due to age.
Parents
  • Hi Paul,

    Regarding the XG:

    Currently, the XG already handles TLS 1.3 traffic with the web proxy. It does a downgrade to TLS 1.2 so as to not break traffic, which is an approach that other vendors have also taken, up until this point in time. 

    Native support for TLS 1.3 inspection is tentatively planned to be introduced in SFOS v18. However this could be subject to change at anytime.

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Thanks for the answer, FLO.

    Let assume a TLS connection where the server is up to TLS 1.3 and the client is at TLS 1.1.  If allowed, the server will downgraded to TLS 1.1, right  ?

    To my understanding, TLS have always downgraded to earlier version when a client is not at the latest TLS.  This is in TLS specifications.  Unless admins locked out older TLS/SSL.  If I am not wrong, a very serious security was that TLS 1.0 would downgrade to very unsecured SSL 3.0.  TLS 1.1 appeared mostly because of that.

    Google tried TLS 1.3 early last year but had to delay a year because too many problems occurred.  Downgrading to older TLS or not.

    Technically, a supplier is not TLS if the downgrade mechanism is not implemented.

    Question is now, if a user's desktop has TLS 1.2 implemented, if a server has TLS 1.3 ONLY rule, what will happen to XG - in between - trying to scan that traffic ?

    Paul Jr

Reply
  • Thanks for the answer, FLO.

    Let assume a TLS connection where the server is up to TLS 1.3 and the client is at TLS 1.1.  If allowed, the server will downgraded to TLS 1.1, right  ?

    To my understanding, TLS have always downgraded to earlier version when a client is not at the latest TLS.  This is in TLS specifications.  Unless admins locked out older TLS/SSL.  If I am not wrong, a very serious security was that TLS 1.0 would downgrade to very unsecured SSL 3.0.  TLS 1.1 appeared mostly because of that.

    Google tried TLS 1.3 early last year but had to delay a year because too many problems occurred.  Downgrading to older TLS or not.

    Technically, a supplier is not TLS if the downgrade mechanism is not implemented.

    Question is now, if a user's desktop has TLS 1.2 implemented, if a server has TLS 1.3 ONLY rule, what will happen to XG - in between - trying to scan that traffic ?

    Paul Jr

Children