Add TLS 1.3 support


#1

Hello,
Now that TLS 1.3 is an official released standard can I request it go on the new features roadmap please.

https://datatracker.ietf.org/doc/rfc8446/history/

Thank you.
HCG


#4

Engineering team is considering that … :point_up_2::point_up_2::point_up_2:

Moving from 1 standard to other 1 may not be a fast process as it involved reviewing plenty of new changes. Possible please share us which components for your requirements that need the system to run on TLS 1.3, engineering team will consider the feasibility.


#7

The option under PepVPN “Backward Compatibility” Restricted limits the connection to TLS1.2. Could we add a further option for "more restricted " for TLS 1.3 with a warning note about how to set this up across a network of Peplink devices so as not to lock out access to devices during a switch to this new option? In particular the downgrade protection TLS 1.3 adds.

For implementation order can I suggest:

  1. Remove usage of obsolete and insecure features from TLS 1.2, including the following:
    a. SHA-1
    b. RC4
    c. DES
    d. 3DES
    e. AES-CBC
    f. MD5
    g. Arbitrary Diffie-Hellman groups — CVE-2016-0701
    h. EXPORT-strength ciphers – Responsible for FREAK and LogJam
  2. Cryptographically sign the entire handshake and add RSA-PSS signatures . Likely to not work with self signed certificates.
  3. Handshake protocol 1-RTT mode.

Of course this may interfere with any FIPS140-2 certification standards.