Supportability and Compatibility for Inline TLS/SSL Decryption
Refer to the following sections for details:
| Supported Platforms |
| GigaSMART Licensing |
| Supportability and Compatibility for Inline TLS/SSL Decryption |
| Port Requirements |
| GigaSMART Compatibility |
| Supportability and Compatibility for Inline TLS/SSL Decryption |
Supported Platforms
Inline TLS/SSL decryption is supported on the following platforms:
| GigaVUE‑HC1 |
| GigaVUE‑HC1-Plus |
| GigaVUE‑HC3 |
To enable decryption, both the GigaSMART module and the inline bypass module must be installed on the same node.
GigaSMART Licensing
Required License: Subscription based TLS/SSL Decryption license.
Inline Bypass Requirements
For physical inline bypass, install a fiber bypass (BPS) combo module. On GigaVUE‑HC1, a copper TAP can also be used for physical bypass. Refer to the table for a list of supported inline bypass modules.
|
Model & Module Type |
Description & BPS Port Pairs |
|---|---|
|
GigaVUE‑HC1 PLUS |
Includes: |
|
• BPS-HC1-D25A60 (HC1-Plus) |
6 × SX/SR multimode inline network port pairs |
|
• BPS-HC1-D35C60 (HC1-Plus) |
6 × LX/LR single-mode inline network port pairs |
|
GigaVUE‑HC1 (Classic HC1 Chassis) |
Includes: |
|
• BPS‑HC1‑D25A24 |
2 × SX/SR multimode (50/125 μm) inline network port pairs + 4 SFP+ cages |
|
• BPS-HC1-D25A60 (HC1-Plus) |
6 × SX/SR multimode inline network port pairs |
|
• BPS-HC1-D35C60 (HC1-Plus) |
6 × LX/LR single-mode inline network port pairs |
|
GigaVUE-HC2 |
Includes: |
|
• BPS-HC0-D25A4G |
4 × SX/SR (50/125 μm) multimode bypass pairs, 16 SFP/SFP+ cages |
|
• BPS-HC0-D25B4G |
4 × SX/SR (62.5/125 μm) multimode bypass pairs, 16 SFP/SFP+ cages |
|
• BPS-HC0-D35C4G |
4 × LX/LR single-mode bypass pairs, 16 SFP/SFP+ cages |
|
• BPS-HC0-Q25A28 |
2 × SR4 (50/125 μm) bypass pairs, 8 SFP/SFP+ cages (40 Gb capability) |
|
GigaVUE-HC3 |
Includes: |
|
• BPS-HC3-C25F2G |
2 × SR4 (40/100 Gb) BPS pairs, 16 SFP+ cages |
|
• BPS-HC3-Q35C2G |
2 × 40 Gb LR bypass pairs, 16 SFP+ cages |
|
• BPS-HC3-C35C2G |
2 × 100 Gb LR bypass pairs, 16 SFP+ cages |
The following diagram shows a GigaVUE device with both the GigaSMART and inline bypass (BPS) modules installed:
| 1 | GigaVUE Modules: GigaSMART and Inline Bypass |
| The GigaSMART module contains the SSL decryption software. |
| The inline network ports are located on the inline bypass module. |
| Inline and out-of-band tool ports are available on the same GigaVUE node. |
Port Requirements
| For inline traffic, both inline network and inline tool ports require two links (a port pair) to handle bidirectional traffic. |
| For out-of-band (offline) traffic, only one link is needed, as the traffic is not bidirectional. |
GigaSMART Compatibility
Inline TLS/SSL decryption must be configured exclusively on a GigaSMART engine. It is not compatible with other GigaSMART operations, including Passive TLS/SSL decryption.
| Do not share the same GigaSMART engine with other operations when using inline TLS/SSL decryption. |
| You can deploy both inbound and outbound inline TLS/SSL decryption on a single GigaSMART engine. |
Note: On GigaVUE‑HC1 nodes, Inline TLS/SSL decryption can be configured alongside other GigaSMART applications.
Supported Ciphers
Inline TLS/SSL decryption supports modern cryptographic algorithms. It supports the commonly-supported TLS 1.2 and TLS 1.3 ciphers.
Combining the following ciphers, MACs, and Key Exchange Algorithms results in many cipher suites:
| Ciphers: AES_128_CBC, AES_128_GCM, AES_256_GCM, AES_256_CBC, Camellia, Chacha20 |
| MAC: SHA, SHA256, SHA384, Poly1305 |
| Key Exchange Algorithms: RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA. |
Diffie Hellman Ephemeral (DHE) is a key exchange protocol.
Inline TLS/SSL Decryption supports key cipher suites and exchanges without downgrading cryptography levels of the organization.
Cipher suites are a standard combination of the following:
| bulk encryption algorithm—Specifies how to encrypt communications, including the algorithm, key size, and the cryptographic mode used. For example, AES_128_CBC is AES with 128-bit keys in Cipher Block Chaining mode. |
| key exchange algorithm—Specifies how both sides authenticate each other during the TLS/SSL handshake. For example, RSA. |
| message authentication code (MAC)—Specifies the hash algorithm used to verify that communications have not been tampered with. For example, SHA. |
| pseudorandom function—Specifies how a 384-bit master secret, which is used as a source of randomness for session keys, is generated. |
Notes:
- TLS/SSL transactions with unsupported ciphers will be bypassed/TCP proxied.
- The new TLS1.3 cipher suites are defined differently and do not specify the certificate types (RSA/DSA/ECDSA) or the key exchange mechanism (DHE/ECHDE).
- The Inline TLS/SSL session is now equipped to receive a client hello with the key exchange X25519Kyber768 and now fall back to using just X25519. This ensures the system maintains secure and functional connections, even if it cannot use the newer, quantum-resistant algorithm now.
The following key sizes are supported:
| RSA—2048, 3072, 4096, 8192 |
| DH—1024, 2048, 4096 |
| ECC—prime256v1, ecsecp256r1, ecsecp384r1, ecsecp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpool512r1, X25519, X448 |
The following TLS extension is supported:
| RFC7301—Application-Layer Protocol Negotiation (ALPN) |
The below table lists the TLS S1.3 and TLS 1.2 ciphers that support Inline TLS/SSL Decryption.
|
Cipher Name |
Encryption (Enc) |
MAC |
|
TLS_AES_256_GCM_SHA384 |
AES_ 256_GCM |
SHA384 |
|
TLS_CHACHA20_POLY1305_SHA256 |
CHACHA20_POLY1305 |
SHA256 |
|
TLS_AES_128_GCM_SHA256 |
AES_128_GCM |
SHA256 |
|
Cipher Name |
Key Exchange (Kx) |
Authentication(Au) |
Encryption (Enc) |
MAC |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | DHE | RSA | AES128_CBC | SHA |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | DHE | RSA | AES256_CBC | SHA |
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | DHE | RSA | CAMELLIA128 | SHA |
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | RSA | RSA | CAMELLIA128 | SHA |
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | RSA | RSA | CAMELLIA256 | SHA |
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | DHE | RSA | CAMELLIA256 | SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | DHE | RSA | AES128_CBC | SHA256 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | DHE | RSA | AES256_CBC | SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | DHE | RSA | AES128_GCM | SHA256 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | DHE | RSA | AES256_GCM | SHA384 |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | ECDHE | RSA | CHACAH20 | POLY1305 |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ECDHE | ECDSA | CHACAH20 | POLY1305 |
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305 | DHE | RSA | CHACAH20 | POLY1305 |
| TLS_RSA_WITH_AES_128_CBC_SHA | RSA | RSA | AES128_CBC | SHA |
| TLS_RSA_WITH_AES_256_CBC_SHA | RSA | RSA | AES256_CBC | SHA |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | RSA | RSA | AES128_CBC | SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | RSA | RSA | AES256_CBC | SHA256 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | RSA | RSA | AES128_GCM | SHA256 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | RSA | RSA | AES256_GCM | SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ECDHE | ECDSA | AES128_CBC | SHA |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ECDHE | ECDSA | AES256_CBC | SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE | RSA | AES128_CBC | SHA |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDHE | RSA | AES256_CBC | SHA |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ECDHE | ECDSA | AES128_CBC | SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ECDHE | ECDSA | AES256_CBC | SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE | RSA | AES128_CBC | SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ECDHE | RSA | AES256_CBC | SHA384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ECDHE | ECDSA | AES128_GCM | SHA256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ECDHE | ECDSA | AES256_GCM | SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE | RSA | AES128_GCM | SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ECDHE | RSA | AES256_GCM | SHA384 |
Post-Quantum Cryptography (PQC) Cipher Support
Post-Quantum Cryptography (PQC) introduces cryptographic algorithms designed to be secure against attacks from both classical and quantum computers. This update enables devices to negotiate and process SSL/TLS sessions using PQC algorithms when performing Inline SSL decryption.
Supported Algorithms
| Key Exchange (KEM): |
| ML-KEM (CRYSTALS-KYBER) in variants mlkem512, mlkem768, mlkem1024 |
| Hybrid combinations (e.g., X25519_MLKEM768, SecP256r1_MLKEM768, SecP384r1MLKEM1024) |
| Signature Algorithms: |
| ML-DSA (CRYSTALS-DILITHIUM) in variants mldsa44, mldsa65, mldsa87 |
Supported Key File Types
The supported file types for Inline SSL support for Post-Quantum Cryptography (PQC) Ciphers are as follows:
| PEM format: pq-private (for PQC private keys) |
| PKCS12 format: pq-pkcs12 (for PQC key/certificate bundles) |
| Certificate files: pq-certificate (for PQC certificates) |
You can enable PQC ciphers via GigaVUE-OS CLI command apps keystore or select the Key type 'PQC' in your Inline SSL profile.
Limitations
The main limitations of the Inline TLS/SSL support for Post-Quantum Cryptography (PQC) ciphers include:
| The FHA Inline TLS/SSL dashboard does not currently show any details related to PQC. |
| This feature does not apply when NAT/PAT needs to support multiple Client Hello messages. |
| The feature does not support client authentication with PQC algorithm certificates. If a server requests a client certificate, sessions will be bypassed, and PQC client certificates will not be intercepted.. |
| HSM Luna and NCipher do not support Post-Quantum Cryptography (PQC). |
| The new PQC key type is not compatible with the GEN2 Inline SSL flex configuration. |
| This feature is also incompatible with the Classic Inline Bypass configuration. |
