Does LTM version 13.X support TLS1.3 if yes how to check that and apply to VS client ssl profiles ?
TLS 1.3 is still not released.
Draft 26 was released on March 04, 2018
You can find SSL/TLS protocol and ciphersuites supported by the F5 from here K13163: SSL ciphers supported on BIG-IP platforms (11.x - 13.x)
TLS 1.3 is not listed and as Stanislas said it is currently in draft but also don't expect it to be supported until the majority of browsers have implemented it.
Ok Thanks for the information.I asked because i heard from someone that F5 has already released it and i installed the latest version BIGIP-126.96.36.199-0.0.5 and couldn't find that.
Thanks again to both of you.
Can I just upgrade the openSSL package for using TLS1.3?
And will TLS1.3 be processed by current BIG-IP model with NITROX III in hardware or I need the new i series model?
Per previous posts, there is no implementation/support of TLS1.3 on BIG-IP, as the protocol standard is not finalised (in draft and not approved) yet. Some clients may have implemented a draft version and they may just stop working when a new draft is out.
If you do have a real need for this, and have a working client and an application with TLS1.3, you can pass the traffic on L4 through a BIG-IP device.
TLS 1.3 has just been approved by the IETF: https://techcrunch.com/2018/03/23/the-web-will-soon-be-a-little-safer-with-the-approval-of-this-new-security-standard/
It would be great to get a timeline when F5 intends to release a software update supporting TLS 1.3. Also, both Chrome and Firefox support TLS 1.3.
Chrome 65 supports TLS 1.3: https://www.chromium.org/Home/tls13
Firefox 52 supports TLS 1.3: https://groups.google.com/forum/#!topic/mozilla.dev.platform/sfeqeMkyxCI
Both Chrome and Firefox support draft versions of TLS 1.3 up until now.
Guess the next version of the browsers will support the final version and F5 will likely add support within the next major release.
As has already been commented above, TLS1.3 is now approved. Is there a real answer yet for a timeline for supporting it?
Short answer nope.
F5 uses OpenSSL for a lot of SSL work so the answer to your question is a question, when will OpenSSL 1.1.1 be release (which will support the final TLS 1.3 standard)?
That can be followed by another question of when will F5 view OpenSSL 1.1.1 as stable and add to their next major release?
If you have a major project I would go ask F5 via your reseller or F5 account manager as they might be able to sort you out early access or engineering release but I would guess this would take a while to sort.
With the DH & RSA ciphers marked down as weak & dinged on Qualys on PFS,
a. How do we make the sites more secure &
b. How do we make sure clients that connect to the sites will not be impacted on taking out the weak ciphers by only supporting a handful of ciphers that are strong by TLS1.2 ?
Are we left with much options here ?
Thought might be of interest to some: F5 Article TLS1-3 are you ready
TLSv1.3 (final standard, i.e. RFC8446) will be supported starting from BIG-IPv188.8.131.52 (and also in v15.0) on the clientssl side (i.e. frontend where BIG-IP acts as server). serverssl side (i.e. backend where BIG-IP acts as client to the backend server) support will be supported in BIG-IPv15.1.
Since some customers already ask - will TLSv1.3 be supported also on upcoming releases of v13.x later?
Problem is, some customers have VE Licences that are only capable of upgrading until v13.
If TLS1.3 is coming only for v15, this would mean that they need a completely new box/license?
There is no plan to backport TLS 1.3 feature on v13.x.
How does F5 BigIP handle Perfect Forward Secrecy in the client and server side profiles? TLS 1.3 support ephemeral keys and the keys can be changed midway during the SSL session. How would F5 BigIP be able to gain access to the ephemeral keys to decrypt the sessions? Any idea when we can get more details?
laksh, you seem to be implying passive decryption, which isn't possible anyway. BIG-IP handles PFS as a function of the proxy architecture, terminating the TLS session on the client side, and initiating a separate TLS session on the server side.