TLS 1.3 ephemeral keys

[lawrencesystems]

I was unable to find a write up on how Untangle handles this so if someone has one that would be great.

Since adding TLS 1.3 support I was looking for some technical details on how Perfect Forward Secrecy (PFS) is being handled by the SSL inspector. Does Untangle terminate the SSL connection established by the client and establish a new SSL connection to the server? I am assuming this is how it would work so from a client’s perspective, Untangle becomes the server and from the original TLS 1.3 server’s perspective, Untangle would become the client. My concern would be considering that Untangle would not just be inspecting the SSL traffic but terminating the connections would this cause some performance by the higher resource requirements. Also, does Untangle 16.10 automatically disable the QUIC protocol when turning on the SSL inspector?

[LaurentR]

For QUIC, there is an option in Web Filter for that purpose.
http://wiki.untangle.com/index.php/W...#Block_Options

The SSL Inspector also has an FAQ suggesting to do it with a Firewall or Filter Rule (but the above is easier if your have Web Filter enabled).
http://wiki.untangle.com/index.php/SSL_Inspector_FAQs