Fortinet black logo

New Features

Home FortiGate / FortiOS 6.4.0 New Features

Support TLS 1.3 for proxy forward servers in certificate inspection mode 6.4.1

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:600846
Download PDF

Support TLS 1.3 for proxy forward servers in certificate inspection mode 6.4.1

The FortiGate web proxy forward server now supports TLS 1.3. Prior to 6.4.1, if the server requested TLS 1.3, the web proxy forward configuration was unable to accommodate it, so no hello retry request was sent back to the client and the connection was stuck in the client hello phase.

Example

In the following example, the Squid server and the FortiGate can handle TLS 1.3 traffic in both deep and certificate inspection modes.

The following output from the Squid server demonstrates that the FortiGate supports TLS 1.3 traffic and forwards the hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is successfully established.

Previous
Next

Support TLS 1.3 for proxy forward servers in certificate inspection mode 6.4.1

The FortiGate web proxy forward server now supports TLS 1.3. Prior to 6.4.1, if the server requested TLS 1.3, the web proxy forward configuration was unable to accommodate it, so no hello retry request was sent back to the client and the connection was stuck in the client hello phase.

Example

In the following example, the Squid server and the FortiGate can handle TLS 1.3 traffic in both deep and certificate inspection modes.

The following output from the Squid server demonstrates that the FortiGate supports TLS 1.3 traffic and forwards the hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is successfully established.

Previous
Next