OPNsense Forum

English Forums => Sensei => Topic started by: loganx1121 on May 28, 2021, 03:25:48 am

Title: TLS 1.3 support
Post by: loganx1121 on May 28, 2021, 03:25:48 am
Does anyone know if Sensei plans on supporting tls 1.3?  I put a ticket in with sunny valley helpdesk asking this a month ago and I never received a response.

Title: Re: TLS 1.3 support
Post by: mb on May 29, 2021, 05:57:48 pm
Hi @loganx1121,

TLS 1.3 is already supported. But I guess you're referring to the ESNI (Encrypted SNI) feature of the TLS 1.3 specification when utilized, making it impossible (when used in conjunction with DoH/DoT) for filtering systems to firewall TLS 1.3 ESNI flows since the destination domain/hostname information is then encrypted and not visible.

This will be possible with the Full TLS Inspection feature. This got delayed due to other popular features (Cloud, other platforms, L7 QoS) getting higher priority. We've already implemented the engine part of the solution. The missing parts are the UI components and heavy testing before we make it available for a wider audience. This is the next major delivery we're planning for this year.