diff options
Diffstat (limited to 'chromium/docs/website/site/Home/tls13/index.md')
-rw-r--r-- | chromium/docs/website/site/Home/tls13/index.md | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/chromium/docs/website/site/Home/tls13/index.md b/chromium/docs/website/site/Home/tls13/index.md new file mode 100644 index 00000000000..915019f40d0 --- /dev/null +++ b/chromium/docs/website/site/Home/tls13/index.md @@ -0,0 +1,46 @@ +--- +breadcrumbs: +- - /Home + - Chromium +page_name: tls13 +title: TLS 1.3 +--- + +Chrome enabled TLS 1.3 in Chrome 70. However, due to bugs in some +man-in-the-middle proxies, anti-downgrade enforcement was not enabled. The +problematic proxies in question are duplicating a value in the TLS handshake +from the origin server rather than randomly generating it themselves. Firstly, +this means that they're implementing a slightly different protocol than TLS on +their LAN side, the security properties of which are not clear. Secondly, it +means that these proxies appear to TLS 1.3-enabled clients to be signaling that +a downgrade attack is occurring because they're taking TLS 1.3-based values from +the origin server and using them in a lower-version TLS handshake on the LAN +side. + +In Chrome 72, downgrade protection will be enabled for TLS connections that use +certificates that chain to a public CA. This should not affect MITM proxies +since they cannot use publicly-trusted certificates. However, in order to get to +the point where this workaround can be removed, all affected MITM proxies will +need to be updated. The following lists minimum firmware versions for affected +products that we're aware of: + +Palo Alto Networks: + +* PAN-OS 8.1 must be ≥ 8.1.4 +* PAN-OS 8.0 must be ≥ 8.0.14 +* PAN-OS 7.1 must be ≥ 7.1.21 + +Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in +“Decrypt - Resign mode/SSL Decryption Enabled” +([advisory](https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvj93913.pdf)) +: + +* Firmware 6.2.3 must be ≥ 6.2.3.4 +* Firmware 6.2.2 must be ≥ 6.2.2.5 +* Firmware 6.1.0 must be ≥ 6.1.0.7 + +Administrators can test compatibility by flipping +chrome://flags/#enforce-tls13-downgrade to Enabled + +Please report problems on the [administrator's +forum](https://productforums.google.com/forum/#!forum/chrome-admins).
\ No newline at end of file |