Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

LTM TLS 1.3

Does LTM version 13.X support TLS1.3 if yes how to check that and apply to VS client ssl profiles ?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

TLS 1.3 is still not released.

Draft 26 was released on March 04, 2018

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can find SSL/TLS protocol and ciphersuites supported by the F5 from here K13163: SSL ciphers supported on BIG-IP platforms (11.x - 13.x)

TLS 1.3 is not listed and as Stanislas said it is currently in draft but also don't expect it to be supported until the majority of browsers have implemented it.

0
Comments on this Answer
Comment made 06-Mar-2018 by Ashu 61

Ok Thanks for the information.I asked because i heard from someone that F5 has already released it and i installed the latest version BIGIP-13.1.0.3-0.0.5 and couldn't find that.

Thanks again to both of you.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Can I just upgrade the openSSL package for using TLS1.3? And will TLS1.3 be processed by current BIG-IP model with NITROX III in hardware or I need the new i series model?

Thanks!

0
Comments on this Answer
Comment made 06-Mar-2018 by Jie 2660

Per previous posts, there is no implementation/support of TLS1.3 on BIG-IP, as the protocol standard is not finalised (in draft and not approved) yet. Some clients may have implemented a draft version and they may just stop working when a new draft is out.

If you do have a real need for this, and have a working client and an application with TLS1.3, you can pass the traffic on L4 through a BIG-IP device.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

TLS 1.3 has just been approved by the IETF: https://techcrunch.com/2018/03/23/the-web-will-soon-be-a-little-safer-with-the-approval-of-this-new-security-standard/

It would be great to get a timeline when F5 intends to release a software update supporting TLS 1.3. Also, both Chrome and Firefox support TLS 1.3.

Chrome 65 supports TLS 1.3: https://www.chromium.org/Home/tls13

Firefox 52 supports TLS 1.3: https://groups.google.com/forum/#!topic/mozilla.dev.platform/sfeqeMkyxCI

0
Comments on this Answer
Comment made 26-Mar-2018 by Andy McGrath 2133

Both Chrome and Firefox support draft versions of TLS 1.3 up until now. Guess the next version of the browsers will support the final version and F5 will likely add support within the next major release.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

As has already been commented above, TLS1.3 is now approved. Is there a real answer yet for a timeline for supporting it?

0
Comments on this Answer
Comment made 10-Apr-2018 by Andy McGrath 2133

Short answer nope. F5 uses OpenSSL for a lot of SSL work so the answer to your question is a question, when will OpenSSL 1.1.1 be release (which will support the final TLS 1.3 standard)?

That can be followed by another question of when will F5 view OpenSSL 1.1.1 as stable and add to their next major release?

If you have a major project I would go ask F5 via your reseller or F5 account manager as they might be able to sort you out early access or engineering release but I would guess this would take a while to sort.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

With the DH & RSA ciphers marked down as weak & dinged on Qualys on PFS, a. How do we make the sites more secure & b. How do we make sure clients that connect to the sites will not be impacted on taking out the weak ciphers by only supporting a handful of ciphers that are strong by TLS1.2 ?

Are we left with much options here ?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thought might be of interest to some: F5 Article TLS1-3 are you ready

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

TLSv1.3 (final standard, i.e. RFC8446) will be supported starting from BIG-IPv14.1.0.1 (and also in v15.0) on the clientssl side (i.e. frontend where BIG-IP acts as server). serverssl side (i.e. backend where BIG-IP acts as client to the backend server) support will be supported in BIG-IPv15.1.

0
Comments on this Answer
Comment made 1 week ago by am.gli 151

Since some customers already ask - will TLSv1.3 be supported also on upcoming releases of v13.x later?

Problem is, some customers have VE Licences that are only capable of upgrading until v13.

If TLS1.3 is coming only for v15, this would mean that they need a completely new box/license?

0
Comment made 1 week ago by Saravanan M K

There is no plan to backport TLS 1.3 feature on v13.x.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

@Saravanan

How does F5 BigIP handle Perfect Forward Secrecy in the client and server side profiles? TLS 1.3 support ephemeral keys and the keys can be changed midway during the SSL session. How would F5 BigIP be able to gain access to the ephemeral keys to decrypt the sessions? Any idea when we can get more details?

0
Comments on this Answer
Comment made 1 month ago by Kevin Stewart

laksh, you seem to be implying passive decryption, which isn't possible anyway. BIG-IP handles PFS as a function of the proxy architecture, terminating the TLS session on the client side, and initiating a separate TLS session on the server side.

0